npm - @hanzo/bot - Versions diffs - 2026.3.7 → 2026.3.8 - Mend

@hanzo/bot 2026.3.7 → 2026.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (450) hide show

package/dist/{gateway-cli-D7jJhAZQ.js → server-CG9eco0N.js} RENAMED Viewed

@@ -1,169 +1,107 @@
-import { a as logVerbose, d as colorize, f as isRich, g as getResolvedLoggerSettings, h as getLogger, m as getChildLogger, p as theme, s as setVerbose } from "./globals-d3aR1MYC.js";
-import { g as resolveStateDir, i as isNixMode, l as resolveGatewayLockDir, o as resolveConfigPath, r as STATE_DIR, t as CONFIG_PATH, u as resolveGatewayPort } from "./paths-BMo6kTge.js";
-import { a as setConsoleSubsystemFilter, d as defaultRuntime, n as runtimeForLogger, o as setConsoleTimestampPrefix, t as createSubsystemLogger } from "./subsystem-Cfn2Pryx.js";
-import "./boolean-DtWR5bt3.js";
+import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
+import { a as logVerbose, g as getResolvedLoggerSettings, h as getLogger, m as getChildLogger } from "./globals-d3aR1MYC.js";
+import { g as resolveStateDir, i as isNixMode, r as STATE_DIR, t as CONFIG_PATH } from "./paths-BMo6kTge.js";
+import { n as defaultRuntime } from "./runtime-CvdZtNmJ.js";
+import { n as runtimeForLogger, t as createSubsystemLogger } from "./subsystem-C6poMade.js";
 import { i as logAcceptedEnvOption, r as isTruthyEnvValue } from "./entry.js";
-import { Ar as resolveHooksGmailModel, At as AVATAR_MAX_BYTES, B as parseConfigJson5, Cr as normalizeModelSelection, Dn as applyMergePatch, Er as resolveAllowedModelRef, Fr as resolveThinkingDefault, G as writeConfigFile, Gn as resolveSubagentMaxConcurrent, H as readConfigFileSnapshotForWrite, Hn as buildTalkConfigResponse, I as migrateLegacyConfig, K as validateConfigObjectWithPlugins, Li as DEFAULT_CONTEXT_TOKENS, Lt as looksLikeAvatarPath, Mt as isAvatarHttpUrl, Ni as normalizeSecretInput, Nr as resolveSubagentConfiguredModelSelection, Nt as isAvatarImageDataUrl, On as applyLegacyMigrations, Or as resolveConfiguredModelRef, R as createConfigIO, Ri as DEFAULT_MODEL, U as resolveConfigSnapshotHash, V as readConfigFileSnapshot, Wn as resolveAgentMaxConcurrent, br as isCliProvider, kn as ensureControlUiAllowedOriginsForNonLoopbackBind, kr as resolveDefaultModelForAgent, mr as buildAllowedModelSet, mt as parseByteSize, pr as isPidAlive, pt as parseDurationMs, q as BotSchema, vr as getModelRefStatus, z as loadConfig, zi as DEFAULT_PROVIDER } from "./auth-profiles-BCHBDrea.js";
-import { t as formatCliCommand } from "./command-format-CLEQe4bk.js";
-import { A as resolveDefaultAgentWorkspaceDir, C as DEFAULT_SOUL_FILENAME, E as ensureAgentWorkspace, O as isWorkspaceOnboardingCompleted, S as DEFAULT_MEMORY_FILENAME, T as DEFAULT_USER_FILENAME, a as resolveAgentDir, b as DEFAULT_IDENTITY_FILENAME, c as resolveAgentModelFallbacksOverride, d as resolveDefaultAgentId, g as DEFAULT_AGENTS_FILENAME, i as resolveAgentConfig, j as resolveWorkspaceTemplateDir, l as resolveAgentSkillsFilter, m as resolveSessionAgentId, n as listAgentEntries, r as listAgentIds, u as resolveAgentWorkspaceDir, v as DEFAULT_BOOTSTRAP_FILENAME, w as DEFAULT_TOOLS_FILENAME, x as DEFAULT_MEMORY_ALT_FILENAME, y as DEFAULT_HEARTBEAT_FILENAME } from "./agent-scope-C5bklqr1.js";
-import { C as isCronRunSessionKey, E as parseAgentSessionKey, T as isSubagentSessionKey, _ as normalizeAccountId$1, c as normalizeAgentId, g as DEFAULT_ACCOUNT_ID, h as toAgentStoreSessionKey, l as normalizeMainKey, m as toAgentRequestSessionKey, o as classifySessionKeyShape, r as buildAgentMainSessionKey, t as DEFAULT_AGENT_ID, u as resolveAgentIdFromSessionKey } from "./session-key-k6urs9r-.js";
-import { E as isPlainObject, S as sleep, T as truncateUtf16Safe, n as clamp, s as ensureDir, v as resolveUserPath, x as shortenHomePath } from "./utils-cwpAMi-t.js";
-import { a as openBoundaryFileSync, f as isNotFoundPathError, g as matchesSkillFilter, i as openBoundaryFile, o as openVerifiedFileSync, s as sameFileIdentity, t as resolveOpenClawPackageRoot } from "./openclaw-root-BFfBQ6FD.js";
-import { i as logWarn, t as logDebug } from "./logger-DB-PHqB2.js";
-import { n as runExec, t as runCommandWithTimeout } from "./exec-B45rafWZ.js";
-import { C as clearInternalHooks, E as triggerInternalHook, F as hasConfiguredSecretInput, T as registerInternalHook, h as createEmptyPluginRegistry, t as CHANNEL_IDS, u as getActivePluginRegistry, w as createInternalHookEvent } from "./registry-CxLUHPLp.js";
-import "./github-copilot-token-Byc_YVYE.js";
-import { u as isTestDefaultMemorySlotDisabled } from "./manifest-registry-9oWnIuht.js";
-import { n as resolveRuntimeServiceVersion, t as VERSION } from "./version-DdJhsIqk.js";
-import "./dock-D1Nz-RwP.js";
-import { i as isSilentReplyText, n as SILENT_REPLY_TOKEN } from "./tokens-g3GBx2U9.js";
-import { $ as getCliSessionId, $n as initSubagentRegistry, $r as markGatewayDraining, $t as deferGatewayRestartUntilIdle, A as resolveAgentAvatar, An as ACP_SESSION_IDENTITY_RENDERER_VERSION, At as normalizeRequiredName, Bn as resolveInputFileLimits, Br as resolveTtsAutoMode, Bt as isExternalHookSession, C as resolveAgentDeliveryPlan, Ct as normalizeCronJobCreate, D as createOutboundSendDeps$1, Dr as getAcpSessionManager, Dt as normalizeOptionalSessionKey, E as createDefaultDeps, Et as normalizeOptionalAgentId, Fn as DEFAULT_INPUT_MAX_REDIRECTS, Fr as clearBootstrapSnapshot, Gr as setTtsProvider, Hn as normalizeSendPolicy, Hr as resolveTtsPrefsPath, Ht as applyBrowserProxyPaths, I as buildHistoryContextFromEntries, In as DEFAULT_INPUT_TIMEOUT_MS, Ir as getTtsProvider, J as createReplyDispatcher, Jr as OPENAI_TTS_VOICES, Kn as isAbortRequestText, Kr as textToSpeech, Ln as extractFileContentFromSource, Lr as isTtsEnabled, Lt as buildSafeExternalPrompt, Mt as buildDeliveryFromLegacyPayload, Nn as DEFAULT_INPUT_IMAGE_MAX_BYTES, Nr as resolveUserTimezone, Nt as hasLegacyDeliveryHints, Or as resolveAgentSessionDirs, Ot as normalizeOptionalText, P as createReplyPrefixOptions, Pn as DEFAULT_INPUT_IMAGE_MIMES, Pt as stripLegacyDeliveryFields, Q as buildBareSessionResetPrompt, Qr as getTotalQueueSize, Qt as consumeGatewaySigusr1RestartAuthorization, Rn as extractImageContentFromSource, Rr as isTtsProviderConfigured, Rt as detectSuspiciousPatterns, Sn as isSystemEventContextChanged, Sr as registerAgentRunContext, St as normalizeHttpWebhookUrl, T as createOutboundSendDeps, Tn as requestHeartbeatNow, Tr as resolveBootstrapWarningSignaturesSeen, Tt as inferLegacyName, Un as resolveSendPolicy, Ur as resolveTtsProviderOrder, Ut as persistBrowserProxyFiles, Vr as resolveTtsConfig, Vt as closeTrackedBrowserTabsForSessions, Wr as setTtsEnabled, Wt as resolveSessionAuthProfileOverride, Xn as countActiveDescendantRuns, Xr as getActiveTaskCount, Xt as applyVerboseOverride, Y as getTotalPendingReplies, Yt as applyModelOverrideToSessionEntry, Zt as parseVerboseOverride, _ as requestBodyErrorToText, _r as resolveCronStyleNow, _t as formatRestartSentinelMessage, a as getPluginToolMeta, an as setPreRestartDeferralCheck, at as resolveOutboundSessionRoute, br as getAgentRunContext, c as loadBotPlugins, ci as stripHeartbeatToken, cn as normalizeGroupActivation, cr as resolveAnnounceTargetFromKey, ct as resolveOutboundTarget, dr as buildOutboundSessionContext, ei as resetAllLanes, en as emitGatewayRestart, et as setCliSessionId, fr as runEmbeddedPiAgent, ft as resetDirectoryCache, g as readJsonBodyWithLimit, gt as formatDoctorNonInteractiveHint, h as handleSlackHttpRequest, hr as waitForEmbeddedPiRunEnd, ht as consumeRestartSentinel, ii as DEFAULT_HEARTBEAT_ACK_MAX_CHARS, in as setGatewaySigusr1RestartPolicy, it as ensureOutboundSessionEntry, jt as migrateLegacyCronPayload, kr as resolveAgentIdentity, kt as normalizePayloadToSystemText, l as createPluginRuntime, lr as readLatestAssistantReply, lt as resolveSessionDeliveryTarget, mn as formatZonedTimestamp, mr as getActiveEmbeddedRunCount, mt as runWithModelFallback, n as applyToolPolicyPipeline, ni as waitForActiveTasks, nn as markGatewaySigusr1RestartHandled, nt as createBotTools, o as resolvePluginTools, on as triggerOpenClawRestart, or as resolveAgentTimeoutMs, p as resolveAgentOutboundIdentity, pr as abortEmbeddedPiRun, q as dispatchInboundMessage, qn as stopSubagentsForRequester, qr as OPENAI_TTS_MODELS, r as buildDefaultToolPolicyPipelineSteps, ri as CommandLane, rn as scheduleGatewaySigusr1Restart, sn as unbindThreadBindingsBySessionKey, sr as runSubagentAnnounceFlow, ti as setCommandLaneConcurrency, tn as isGatewaySigusr1RestartExternallyAllowed, tr as listDescendantRunsForRequester, tt as runCliAgent, un as loadProviderUsageSummary, ur as clearSessionQueues, ut as resolveOutboundChannelPlugin, vr as clearAgentRunContext, w as resolveAgentOutboundTarget, wt as normalizeCronJobPatch, x as agentCommandFromIngress, xn as enqueueSystemEvent, xr as onAgentEvent, xt as writeRestartSentinel, yr as emitAgentEvent, yt as summarizeRestartSentinel, zn as normalizeMimeList, zr as resolveTtsApiKey, zt as getHookType } from "./compact-CenE94cW.js";
-import { i as resolveWhatsAppAccount } from "./accounts-Da-TWEIc.js";
-import { n as listChannelPlugins, o as normalizeWhatsAppTarget, r as normalizeChannelId, t as getChannelPlugin, v as buildChannelAccountBindings } from "./plugins-D3Wuignn.js";
-import "./logging-DRwtiLIS.js";
-import "./send-rLuC3ZNP.js";
-import "./send-DGbx1H-1.js";
-import { a as getMachineDisplayName, i as startBrowserControlServiceFromConfig, n as createBrowserRouteDispatcher, r as createBrowserControlContext } from "./with-timeout-BVwCWUvY.js";
-import { j as runGlobalGatewayStopSafely, k as getGlobalHookRunner, o as normalizeReplyPayloadsForDelivery, t as deliverOutboundPayloads } from "./deliver-DPkEY6xb.js";
-import { d as startDiagnosticHeartbeat, f as stopDiagnosticHeartbeat, h as isDiagnosticsEnabled } from "./diagnostic-DCevSIi3.js";
-import "./accounts-DRUpcCkN.js";
-import { c as detectMime } from "./image-ops-DBPCaLYI.js";
-import { b as resolveCronStorePath, x as saveCronStore, y as loadCronStore } from "./send-CGAq-Ure.js";
-import "./pi-model-discovery-BUP6uy2Q.js";
-import { _ as normalizeGatewayClientMode, f as GATEWAY_CLIENT_CAPS, g as hasGatewayClientCap, h as GATEWAY_CLIENT_NAMES, i as isGatewayMessageChannel, l as normalizeMessageChannel, m as GATEWAY_CLIENT_MODES, n as isDeliverableMessageChannel, p as GATEWAY_CLIENT_IDS, r as isGatewayCliClient, s as isWebchatClient, t as INTERNAL_MESSAGE_CHANNEL } from "./message-channel-7mpcAPwa.js";
-import "./pi-embedded-helpers-BMC2HFyB.js";
-import { C as resolveToolProfilePolicy, _ as collectExplicitAllowlist, y as mergeAlsoAllowPolicy } from "./sandbox-DN9CY7lp.js";
-import { i as listCoreToolSections, n as PROFILE_OPTIONS, o as resolveCoreToolProfiles } from "./tool-catalog-omkiks3D.js";
-import "./chrome-TWq_09_a.js";
-import { i as enableTailscaleServe, n as disableTailscaleServe, o as getTailnetHostname, r as enableTailscaleFunnel, t as disableTailscaleFunnel } from "./tailscale-DOG3cjSj.js";
-import { t as safeEqualSecret } from "./secret-equal-DxKrAcRs.js";
-import { n as pickPrimaryTailnetIPv4, r as pickPrimaryTailnetIPv6 } from "./tailnet-B-wq8YXh.js";
-import { c as normalizeHostHeader, d as resolveGatewayBindHost, f as resolveGatewayListenHosts, i as isLoopbackHost, l as pickPrimaryLanIPv4, n as isLocalishHost, o as isTrustedProxyAddress, r as isLoopbackAddress, s as isValidIPv4, t as rawDataToString, u as resolveClientIp } from "./ws-ChEZbUss.js";
-import { a as resolveGatewayAuth, c as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, i as isLocalDirectRequest, l as createAuthRateLimiter, n as authorizeHttpGatewayConnect, o as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN, r as authorizeWsControlUiGatewayConnect, s as AUTH_RATE_LIMIT_SCOPE_HOOK_AUTH, t as assertGatewayAuthConfigured, u as normalizeRateLimitClientIp } from "./auth-CqlFkBrB.js";
-import { d as mergeGatewayTailscaleConfig, l as ensureGatewayStartupAuth, u as mergeGatewayAuthConfig } from "./server-context-B1j20KiF.js";
-import { d as hasBinary } from "./frontmatter-BIwJR052.js";
-import { i as loadWorkspaceSkillEntries, r as buildWorkspaceSkillSnapshot } from "./skills-DjMDgmlj.js";
-import { n as assertNoPathAliasEscape } from "./path-alias-guards-CUaIvLOE.js";
-import "./paths-Dr0uMr7v.js";
-import { a as testRegexWithBoundedInput, i as compileSafeRegex } from "./redact-BsCSVGmT.js";
-import { o as isErrno, r as formatErrorMessage } from "./errors-Dh5KARaE.js";
-import { i as openFileWithinRoot, l as writeFileWithinRoot, s as readLocalFileSafely, t as SafeOpenError } from "./fs-safe-DtMJsayp.js";
-import { n as SsrFBlockedError } from "./proxy-env-CKBWNd19.js";
-import "./store-BgCLFtxS.js";
-import { n as inspectPortUsage, o as formatPortDiagnostics, t as ensurePortAvailable } from "./ports-B8DmvnDT.js";
-import { t as movePathToTrash } from "./trash-ChZlaria.js";
-import "./server-middleware-C0e-wReR.js";
-import { n as readJsonFile, r as writeJsonAtomic, t as createAsyncLock } from "./json-files-UKlMS7yU.js";
-import { $ as resolveMainSessionKeyFromConfig, A as readSessionPreviewItemsFromTranscript, B as evaluateSessionFreshness, C as normalizeSessionDeliveryFields, D as capArrayByJsonBytes, E as archiveSessionTranscripts, H as resolveSessionResetPolicy, I as stripInlineDirectiveTagsForDisplay, J as setSessionRuntimeModel, K as mergeSessionEntry, L as stripInlineDirectiveTagsFromMessageForDisplay, M as resolveSessionTranscriptCandidates, N as stripEnvelopeFromMessage, O as cleanupArchivedSessionTranscripts, P as stripEnvelopeFromMessages, Q as resolveMainSessionKey, R as jsonUtf8Bytes, T as archiveFileOnDisk, X as resolveAgentMainSessionKey, Y as canonicalizeMainSessionAlias, Z as resolveExplicitAgentSessionKey, ct as cleanStaleLockFiles, d as updateSessionStore, k as readSessionMessages, n as parseSessionThreadInfo, o as loadSessionStore, t as extractDeliveryInfo, tt as snapshotSessionOrigin, x as mergeDeliveryContext, y as deliveryContextFromSession } from "./sessions-Db2DF_68.js";
-import "./accounts-D-CXitCL.js";
-import { c as resolveStorePath, i as resolveSessionTranscriptPath, n as resolveSessionFilePath, r as resolveSessionFilePathOptions, s as resolveSessionTranscriptsDirForAgent } from "./paths-0GcCtgXm.js";
-import { i as normalizeInputProvenance } from "./input-provenance-ByYWugDu.js";
-import "./chat-envelope-CrWMMV_a.js";
-import { o as estimateBase64DecodedBytes } from "./tool-images-Bkv3er-8.js";
-import { a as normalizeElevatedLevel, c as normalizeUsageDisplay, d as supportsXHighThinking, l as normalizeVerboseLevel, n as formatXHighModelHint, o as normalizeReasoningLevel, s as normalizeThinkLevel, t as formatThinkingLevels } from "./thinking-RV_E8HFV.js";
-import "./models-config-Tnpb1ctj.js";
-import "./exec-approvals-allowlist-CSlk-iUy.js";
-import "./exec-safe-bin-runtime-policy-C4OXhXIe.js";
-import { n as loadModelCatalog } from "./model-catalog-B3fDLVsV.js";
-import "./fetch-COQIeEVX.js";
-import { g as registerUnhandledRejectionHandler } from "./audio-transcription-runner-DCsEpXgz.js";
-import { t as fetchWithSsrFGuard } from "./fetch-guard-BiNciKHu.js";
-import { b as extractTextFromChatContent } from "./image-DFnt4Uwg.js";
-import "./tool-display-CpQNRadF.js";
-import "./api-key-rotation-DuxfwUin.js";
-import "./proxy-fetch-CuomJeW8.js";
-import "./ir-CaGizvli.js";
-import "./render-scQFEkLe.js";
-import { a as ToolInputError } from "./target-errors-D41KLMCY.js";
-import { r as isRestartEnabled } from "./commands-BAjCW6P6.js";
-import "./commands-registry-bwa5zMJ1.js";
-import { c as hasNonzeroUsage, i as loadSessionUsageTimeSeries, n as loadCostUsageSummary, r as loadSessionCostSummary, s as deriveSessionTotalTokens, t as discoverAllSessions } from "./session-cost-usage-BKD6u4HD.js";
-import "./sqlite-C0jSdAfK.js";
-import { $ as validateNodePairApproveParams, $t as updatePairedDeviceMetadata, A as validateCronRunParams, At as validateWizardCancelParams, B as validateExecApprovalRequestParams, Bt as buildDeviceAuthPayloadV3, C as validateConfigSchemaLookupResult, Ct as validateTalkConfigParams, D as validateCronAddParams, Dt as validateWakeParams, E as validateConnectParams, Et as validateUpdateRunParams, F as validateDevicePairListParams, Ft as ErrorCodes, G as validateExecApprovalsSetParams, Gt as getPairedDevice, H as validateExecApprovalsGetParams, I as validateDevicePairRejectParams, It as errorShape, J as validateNodeDescribeParams, Jt as removePairedDevice, K as validateLogsTailParams, Kt as listDevicePairing, L as validateDevicePairRemoveParams, M as validateCronStatusParams, Mt as validateWizardStartParams, N as validateCronUpdateParams, Nt as validateWizardStatusParams, O as validateCronListParams, Ot as validateWebLoginStartParams, P as validateDevicePairApproveParams, Pt as PROTOCOL_VERSION, Q as validateNodeListParams, Qt as summarizeDeviceTokens, R as validateDeviceTokenRevokeParams, Rt as parseSessionLabel, S as validateConfigSchemaLookupParams, St as validateSkillsUpdateParams, T as validateConfigSetParams, Tt as validateToolsCatalogParams, U as validateExecApprovalsNodeGetParams, Ut as approveDevicePairing, V as validateExecApprovalResolveParams, Vt as normalizeDeviceMetadataForAuth, W as validateExecApprovalsNodeSetParams, Wt as ensureDeviceToken, X as validateNodeInvokeParams, Xt as revokeDeviceToken, Y as validateNodeEventParams, Yt as requestDevicePairing, Z as validateNodeInvokeResultParams, Zt as rotateDeviceToken, _ as validateChatInjectParams, _t as validateSessionsResolveParams, a as validateAgentWaitParams, an as normalizeDevicePublicKeyBase64Url, at as validatePollParams, b as validateConfigGetParams, bt as validateSkillsInstallParams, c as validateAgentsFilesGetParams, ct as validateSecretsResolveParams, d as validateAgentsListParams, dt as validateSessionsCompactParams, en as verifyDeviceToken, et as validateNodePairListParams, f as validateAgentsUpdateParams, ft as validateSessionsDeleteParams, g as validateChatHistoryParams, gt as validateSessionsResetParams, h as validateChatAbortParams, ht as validateSessionsPreviewParams, i as validateAgentParams, it as validateNodeRenameParams, j as validateCronRunsParams, jt as validateWizardNextParams, k as validateCronRemoveParams, kt as validateWebLoginWaitParams, l as validateAgentsFilesListParams, lt as validateSecretsResolveResult, m as validateChannelsStatusParams, mt as validateSessionsPatchParams, n as formatValidationErrors, nt as validateNodePairRequestParams, o as validateAgentsCreateParams, on as verifyDeviceSignature, ot as validatePushTestParams, p as validateChannelsLogoutParams, pt as validateSessionsListParams, q as validateModelsListParams, qt as rejectDevicePairing, r as validateAgentIdentityParams, rn as deriveDeviceIdFromPublicKey, rt as validateNodePairVerifyParams, s as validateAgentsDeleteParams, st as validateRequestFrame, tn as roleScopesAllow, tt as validateNodePairRejectParams, u as validateAgentsFilesSetParams, ut as validateSendParams, v as validateChatSendParams, vt as validateSessionsUsageParams, w as validateConfigSchemaParams, wt as validateTalkModeParams, x as validateConfigPatchParams, xt as validateSkillsStatusParams, y as validateConfigApplyParams, yt as validateSkillsBinsParams, z as validateDeviceTokenRotateParams, zt as buildDeviceAuthPayload } from "./client-DWdu7Vc_.js";
-import { c as ADMIN_SCOPE$3, d as isNodeRoleMethod, n as callGateway, p as loadGatewayTlsRuntime$1, u as authorizeOperatorScopesForMethod } from "./call-C4z2LJrI.js";
-import "./pairing-token-Tb0YsOGr.js";
-import "./fetch-TlhZeXdg.js";
-import { a as readChannelAllowFromStoreSync } from "./pairing-store-nyK6CFoT.js";
-import { a as mergeExecApprovalsSocketDefaults, c as readExecApprovalsSnapshot, p as saveExecApprovals, r as ensureExecApprovals, s as normalizeExecApprovals, t as DEFAULT_EXEC_APPROVAL_TIMEOUT_MS } from "./exec-approvals-B5leCM6K.js";
-import { _ as matchSystemRunApprovalBinding, g as buildSystemRunApprovalBinding, h as resolveSystemRunApprovalRuntimeContext, m as resolveSystemRunApprovalRequestContext, v as missingSystemRunApprovalBinding, y as toSystemRunApprovalMismatchError } from "./nodes-screen-DmJ2G431.js";
-import { n as resolveSystemRunCommand } from "./system-run-command-ZDr-0-G2.js";
-import { a as loadCombinedSessionStoreForGateway, c as resolveGatewaySessionStoreTarget, f as computeBackoff, i as listSessionsFromStore, l as resolveSessionModelRef, o as loadSessionEntry, p as sleepWithAbort, r as listAgentsForGateway, s as pruneLegacyStoreKeys, t as canonicalizeSpawnedByForAgent, u as lookupContextTokens } from "./session-utils-CigqosOc.js";
-import { n as formatTokenCount, r as formatUsd } from "./usage-format-BMWvYDjj.js";
-import { _ as updatePairedNodeMetadata, a as getRemoteSkillEligibility, b as getSkillsSnapshotVersion, c as refreshRemoteBinsForConnectedNodes, d as setSkillsRemoteRegistry, f as approveNodePairing, g as requestNodePairing, h as renamePairedNode, l as refreshRemoteNodeBins, m as rejectNodePairing, o as primeRemoteSkillsCache, p as listNodePairing, s as recordRemoteNodeInfo, u as removeRemoteNodeInfo, v as verifyNodeToken, x as registerSkillsChangeListener } from "./skill-commands-BFUWbeCU.js";
-import { a as resolveSubagentToolPolicy, i as resolveGroupToolPolicy, r as resolveEffectiveToolPolicy } from "./pi-tools.policy-C_cbrlt5.js";
-import { t as listAgentWorkspaceDirs } from "./workspace-dirs-Cb43onAl.js";
-import { t as getChannelActivity } from "./channel-activity-Bch3Rz78.js";
-import { n as normalizePollInput } from "./polls-D86s6oEI.js";
-import "./tables-Bb1hkkgV.js";
-import "./server-lifecycle-D8uRbSiN.js";
-import { i as parseAbsoluteTimeMs, n as resolveCronStaggerMs, r as resolveDefaultCronStaggerMs, t as normalizeCronStaggerMs } from "./stagger-DW-U0kcV.js";
-import { n as resolveMessageChannelSelection } from "./channel-selection-CXz2aSCs.js";
-import { i as buildChannelUiCatalog, t as applyPluginAutoEnable } from "./plugin-auto-enable-DdGdWKDo.js";
-import "./send-Ge3BmrKO.js";
-import "./outbound-attachment-D7sOzAQn.js";
-import "./delivery-queue-DgdE_Ifa.js";
-import "./send-7T5wUQDt.js";
-import "./proxy-BNFyBgvu.js";
-import "./timeouts-G9Yto-nj.js";
-import { n as GATEWAY_AUTH_SURFACE_PATHS, p as isKnownSecretTargetId, r as evaluateGatewayAuthSurfaceStates } from "./runtime-config-collectors-CCkqshyY.js";
-import "./command-secret-targets-B2OuvZQf.js";
-import { C as normalizeControlUiBasePath, S as buildControlUiAvatarUrl, c as handleReset, w as resolveAssistantAvatarUrl, x as CONTROL_UI_AVATAR_PREFIX } from "./onboard-helpers-Dtu3-e93.js";
-import "./prompt-style-C1jf_-k5.js";
-import "./pairing-labels-CjKrz2C9.js";
-import { i as resolveMemoryBackendConfig, r as getMemorySearchManager } from "./memory-cli-C6ocXZHW.js";
-import { i as resolveMemorySearchConfig } from "./manager-BYSXh-I3.js";
-import { t as formatDocsLink } from "./links-C7eMwu1P.js";
-import { n as runCommandWithRuntime } from "./cli-utils-DK6017OO.js";
-import { t as formatHelpExamples } from "./help-format-ncfKj8zq.js";
-import { n as withProgress } from "./progress-DLHMb9Nz.js";
-import { t as buildWorkspaceSkillStatus } from "./skills-status-CeHRbTXe.js";
-import { i as onHeartbeatEvent, r as getLastHeartbeatEvent, t as resolveHeartbeatVisibility } from "./heartbeat-visibility-_K4bnQDH.js";
-import { t as ensureOpenClawCliOnPath } from "./path-env-LTMy-Xkk.js";
-import { n as DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools-DjOwyW3J.js";
-import { n as inheritOptionFromParent } from "./command-options-j8s8APBQ.js";
-import { t as WizardCancelledError } from "./prompts-GoDC3iAV.js";
-import { t as resolveChannelDefaultAccountId } from "./helpers-CIEbwEWl.js";
-import { a as pruneAgentConfig, i as loadAgentIdentity, r as findAgentEntryIndex, t as applyAgentConfig } from "./agents.config-BQ8I8wuY.js";
-import { t as isWithinDir } from "./path-safety-DwIbN_B2.js";
-import "./install-safe-path-Df97RWiJ.js";
-import "./skill-scanner-B5APVdka.js";
-import { n as formatConfigIssueLines } from "./issue-format-DjqrcimU.js";
-import { t as buildChannelAccountSnapshot } from "./status-pXeXDUup.js";
-import "./channels-status-issues-BAy-21Cb.js";
-import { a as buildBaseHints, i as applySensitiveHints, n as redactConfigSnapshot, o as mapSensitivePaths, r as restoreRedactedValues, s as applyDerivedTags, t as redactConfigObject } from "./redact-snapshot-COg8NLLO.js";
-import "./daemon-install-helpers-C1QLEGFF.js";
-import "./runtime-guard-BMUPc-7K.js";
-import "./gateway-install-token-tifgQqTq.js";
-import "./systemd-tpTWQ79a.js";
-import "./service-BJxGQl0h.js";
-import "./lifecycle-core-BXWGDU3R.js";
-import "./systemd-hints-CLH4_-IK.js";
-import { t as parsePort$1 } from "./parse-port-CboE2EQm.js";
-import { n as addGatewayServiceCommands } from "./daemon-cli-OBRBnIhu.js";
-import { t as probeGateway } from "./probe-D23qt8BT.js";
-import "./diagnostics-vhe8iPOe.js";
-import "./table-D9z5aFl9.js";
-import { n as resolveWideAreaDiscoveryDomain, r as writeWideAreaGatewayZone } from "./widearea-dns-Blh7W-0q.js";
-import { i as toOptionString, n as extractGatewayMiskeys, r as maybeExplainGatewayServiceStop, t as describeUnknownError } from "./shared-DcKZdze7.js";
-import { t as discoverGatewayBeacons } from "./bonjour-discovery-CzNIGZ7K.js";
-import { t as resolveConfiguredSecretInputString } from "./resolve-configured-secret-input-string-ySbc3h26.js";
-import { i as pickGatewaySelfPresence, r as getStatusSummary } from "./status-D3cIxG_a.js";
-import { a as styleHealthChannelLine, c as setHeartbeatsEnabled, l as startHeartbeatRunner, n as getHealthSnapshot, s as runHeartbeatOnce, t as formatHealthChannelLines, u as isCronSystemEvent } from "./health-DTtmaQPz.js";
-import { a as resolveControlUiRootSync, i as resolveControlUiRootOverrideSync, t as ensureControlUiAssetsBuilt } from "./control-ui-assets-CvLJNwEr.js";
-import { h as normalizeUpdateChannel, l as DEFAULT_PACKAGE_CHANNEL, n as checkUpdateStatus, o as resolveNpmChannelTag, r as compareSemverStrings } from "./channel-account-context-DyLW8OD1.js";
-import { a as resolveCommandSecretsFromActiveRuntimeSnapshot, i as prepareSecretsRuntimeSnapshot, n as clearSecretsRuntimeSnapshot, r as getActiveSecretsRuntimeSnapshot, t as activateSecretsRuntimeSnapshot } from "./runtime-BkR9qMZk.js";
-import "./onboarding.secret-input-BO32ZliB.js";
-import { t as runOnboardingWizard } from "./onboarding-DozRyXTe.js";
-import { a as sendApnsAlert, c as parseMessageWithAttachments, d as shouldLogWs, f as summarizeAgentEventForWsLog, i as resolveApnsAuthConfigFromEnv, l as formatForLog, n as normalizeApnsEnvironment, o as sendApnsBackgroundWake, p as setGatewayWsLogStyle, s as normalizeRpcAttachmentsToChatAttachments, t as loadApnsRegistration, u as logWs } from "./push-apns-BNjpWCK5.js";
-import { T as resolveGmailHookRuntimeConfig, _ as buildGogWatchServeArgs, i as ensureTailscaleEndpoint, v as buildGogWatchStartArgs } from "./gmail-setup-utils-B1wEc-nz.js";
-import { n as isNodeCommandAllowed, r as resolveNodeCommandAllowlist } from "./node-command-policy-C9mK2tft.js";
-import { n as collectEnabledInsecureOrDangerousFlags } from "./audit-DCJbont3.js";
-import "./node-service-DB36GYv5.js";
-import "./status.update-DeJopD-c.js";
-import { t as installSkill } from "./skills-install-jLz2vwvm.js";
-import { t as runGatewayUpdate } from "./update-runner-DtN1XGSv.js";
-import { i as shouldIncludeHook, r as resolveHookConfig, t as loadWorkspaceHookEntries } from "./workspace-BrC46nbq.js";
-import { n as forceFreePortAndWait, r as waitForPortBindable } from "./ports-BZsa4E0e.js";
+import { An as resolveSubagentMaxConcurrent, B as parseConfigJson5, Bn as buildAllowedModelSet, Dn as buildTalkConfigResponse, G as writeConfigFile, H as readConfigFileSnapshotForWrite, I as migrateLegacyConfig, K as validateConfigObjectWithPlugins, Kn as isCliProvider, Qn as resolveAllowedModelRef, St as looksLikeAvatarPath, U as resolveConfigSnapshotHash, V as readConfigFileSnapshot, Wn as getModelRefStatus, Yn as normalizeModelSelection, _t as isAvatarHttpUrl, ai as normalizeSecretInput, ar as resolveSubagentConfiguredModelSelection, di as DEFAULT_PROVIDER, er as resolveConfiguredModelRef, fn as applyMergePatch, ht as AVATAR_MAX_BYTES, kn as resolveAgentMaxConcurrent, li as DEFAULT_CONTEXT_TOKENS, mn as ensureControlUiAllowedOriginsForNonLoopbackBind, mt as parseByteSize, nr as resolveHooksGmailModel, pn as applyLegacyMigrations, pt as parseDurationMs, q as BotSchema, sr as resolveThinkingDefault, tr as resolveDefaultModelForAgent, ui as DEFAULT_MODEL, vt as isAvatarImageDataUrl, z as loadConfig } from "./auth-profiles-BtxyXCZY.js";
+import { t as formatCliCommand } from "./command-format-MESnUO9S.js";
+import { C as DEFAULT_SOUL_FILENAME, E as ensureAgentWorkspace, O as isWorkspaceOnboardingCompleted, S as DEFAULT_MEMORY_FILENAME, T as DEFAULT_USER_FILENAME, a as resolveAgentDir, b as DEFAULT_IDENTITY_FILENAME, c as resolveAgentModelFallbacksOverride, d as resolveDefaultAgentId, g as DEFAULT_AGENTS_FILENAME, i as resolveAgentConfig, l as resolveAgentSkillsFilter, m as resolveSessionAgentId, n as listAgentEntries, r as listAgentIds, u as resolveAgentWorkspaceDir, v as DEFAULT_BOOTSTRAP_FILENAME, w as DEFAULT_TOOLS_FILENAME, x as DEFAULT_MEMORY_ALT_FILENAME, y as DEFAULT_HEARTBEAT_FILENAME } from "./agent-scope-BcruZHHR.js";
+import { C as isCronRunSessionKey, E as parseAgentSessionKey, T as isSubagentSessionKey, _ as normalizeAccountId$1, c as normalizeAgentId, g as DEFAULT_ACCOUNT_ID, h as toAgentStoreSessionKey, l as normalizeMainKey, m as toAgentRequestSessionKey, o as classifySessionKeyShape, r as buildAgentMainSessionKey, t as DEFAULT_AGENT_ID, u as resolveAgentIdFromSessionKey } from "./session-key-CC77ya0a.js";
+import { E as isPlainObject, S as sleep, T as truncateUtf16Safe, n as clamp, s as ensureDir, v as resolveUserPath } from "./utils-BnC3HGtm.js";
+import { a as openBoundaryFileSync, f as isNotFoundPathError, g as matchesSkillFilter, i as openBoundaryFile, o as openVerifiedFileSync, s as sameFileIdentity, t as resolveOpenClawPackageRoot } from "./openclaw-root-T5G2ldGE.js";
+import { i as logWarn, t as logDebug } from "./logger-DyQjakwH.js";
+import { n as runExec, t as runCommandWithTimeout } from "./exec-B8Hv4Nkd.js";
+import { u as isTestDefaultMemorySlotDisabled } from "./manifest-registry-m_hXBIk-.js";
+import { n as resolveRuntimeServiceVersion, t as VERSION } from "./version-DT-JIO28.js";
+import { D as triggerInternalHook, E as registerInternalHook, T as createInternalHookEvent, d as getActivePluginRegistry, g as createEmptyPluginRegistry, t as CHANNEL_IDS, w as clearInternalHooks } from "./registry-DnJ84ILp.js";
+import { i as isSilentReplyText, n as SILENT_REPLY_TOKEN } from "./tokens-C3eENCf9.js";
+import { $ as getCliSessionId, $n as resolveAnnounceTargetFromKey, $t as normalizeGroupActivation, A as resolveAgentAvatar, An as normalizeMimeList, Ar as resolveTtsApiKey, At as normalizeRequiredName, Bt as isExternalHookSession, C as resolveAgentDeliveryPlan, Ct as normalizeCronJobCreate, D as createOutboundSendDeps$1, Dn as DEFAULT_INPUT_TIMEOUT_MS, Dr as getTtsProvider, Dt as normalizeOptionalSessionKey, E as createDefaultDeps, En as DEFAULT_INPUT_MAX_REDIRECTS, Er as clearBootstrapSnapshot, Et as normalizeOptionalAgentId, Fr as setTtsEnabled, Gr as stripHeartbeatToken, Ht as applyBrowserProxyPaths, I as buildHistoryContextFromEntries, Ir as setTtsProvider, J as createReplyDispatcher, Kn as listDescendantRunsForRequester, Ln as isAbortRequestText, Lr as textToSpeech, Lt as buildSafeExternalPrompt, Mr as resolveTtsConfig, Mt as buildDeliveryFromLegacyPayload, Nn as normalizeSendPolicy, Nr as resolveTtsPrefsPath, Nt as hasLegacyDeliveryHints, On as extractFileContentFromSource, Or as isTtsEnabled, Ot as normalizeOptionalText, P as createReplyPrefixOptions, Pn as resolveSendPolicy, Pr as resolveTtsProviderOrder, Pt as stripLegacyDeliveryFields, Q as buildBareSessionResetPrompt, Qn as runSubagentAnnounceFlow, Qt as unbindThreadBindingsBySessionKey, Rn as stopSubagentsForRequester, Rr as OPENAI_TTS_MODELS, Rt as detectSuspiciousPatterns, St as normalizeHttpWebhookUrl, T as createOutboundSendDeps, Tn as DEFAULT_INPUT_IMAGE_MIMES, Tt as inferLegacyName, Ut as persistBrowserProxyFiles, Vn as countActiveDescendantRuns, Vr as DEFAULT_HEARTBEAT_ACK_MAX_CHARS, Vt as closeTrackedBrowserTabsForSessions, Wn as initSubagentRegistry, Wt as resolveSessionAuthProfileOverride, Xt as applyVerboseOverride, Y as getTotalPendingReplies, Yt as applyModelOverrideToSessionEntry, Zn as resolveAgentTimeoutMs, Zt as parseVerboseOverride, _ as requestBodyErrorToText, _t as formatRestartSentinelMessage, a as getPluginToolMeta, an as formatZonedTimestamp, ar as getActiveEmbeddedRunCount, at as resolveOutboundSessionRoute, br as resolveAgentIdentity, c as loadBotPlugins, cr as resolveCronStyleNow, ct as resolveOutboundTarget, dr as getAgentRunContext, er as readLatestAssistantReply, et as setCliSessionId, fn as enqueueSystemEvent, fr as onAgentEvent, ft as resetDirectoryCache, g as readJsonBodyWithLimit, gn as requestHeartbeatNow, gr as resolveBootstrapWarningSignaturesSeen, gt as formatDoctorNonInteractiveHint, h as handleSlackHttpRequest, ht as consumeRestartSentinel, ir as abortEmbeddedPiRun, it as ensureOutboundSessionEntry, jn as resolveInputFileLimits, jr as resolveTtsAutoMode, jt as migrateLegacyCronPayload, kn as extractImageContentFromSource, kr as isTtsProviderConfigured, kt as normalizePayloadToSystemText, l as createPluginRuntime, lr as clearAgentRunContext, lt as resolveSessionDeliveryTarget, mt as runWithModelFallback, n as applyToolPolicyPipeline, nr as buildOutboundSessionContext, nt as createBotTools, o as resolvePluginTools, or as waitForEmbeddedPiRunEnd, p as resolveAgentOutboundIdentity, pn as isSystemEventContextChanged, pr as registerAgentRunContext, q as dispatchInboundMessage, r as buildDefaultToolPolicyPipelineSteps, rr as runEmbeddedPiAgent, tn as loadProviderUsageSummary, tr as clearSessionQueues, tt as runCliAgent, ur as emitAgentEvent, ut as resolveOutboundChannelPlugin, vr as getAcpSessionManager, w as resolveAgentOutboundTarget, wn as DEFAULT_INPUT_IMAGE_MAX_BYTES, wr as resolveUserTimezone, wt as normalizeCronJobPatch, x as agentCommandFromIngress, xn as ACP_SESSION_IDENTITY_RENDERER_VERSION, xt as writeRestartSentinel, yr as resolveAgentSessionDirs, yt as summarizeRestartSentinel, zr as OPENAI_TTS_VOICES, zt as getHookType } from "./compact-CuLMew-8.js";
+import { i as resolveWhatsAppAccount } from "./accounts-C04lw_uh.js";
+import { n as listChannelPlugins, o as normalizeWhatsAppTarget, r as normalizeChannelId, t as getChannelPlugin, v as buildChannelAccountBindings } from "./plugins-CCkC0dRo.js";
+import { t as getMachineDisplayName } from "./machine-name-BWZ0tBHk.js";
+import { j as runGlobalGatewayStopSafely, k as getGlobalHookRunner, o as normalizeReplyPayloadsForDelivery, t as deliverOutboundPayloads } from "./deliver-Bge0HwrF.js";
+import { d as startDiagnosticHeartbeat, f as stopDiagnosticHeartbeat, h as isDiagnosticsEnabled } from "./diagnostic-CXxZq_XY.js";
+import { _ as setCommandLaneConcurrency, c as setPreRestartDeferralCheck, m as getTotalQueueSize, n as deferGatewayRestartUntilIdle, o as scheduleGatewaySigusr1Restart, r as emitGatewayRestart, s as setGatewaySigusr1RestartPolicy, y as CommandLane } from "./restart-D97MOP8K.js";
+import { c as detectMime } from "./image-ops-Bnk-bI_x.js";
+import { b as resolveCronStorePath, x as saveCronStore, y as loadCronStore } from "./send-CZtdjq0Y.js";
+import { _ as hasGatewayClientCap, h as GATEWAY_CLIENT_MODES, i as isGatewayMessageChannel, m as GATEWAY_CLIENT_IDS, n as isDeliverableMessageChannel, p as GATEWAY_CLIENT_CAPS, r as isGatewayCliClient, s as isWebchatClient, t as INTERNAL_MESSAGE_CHANNEL, u as normalizeMessageChannel, v as normalizeGatewayClientMode } from "./message-channel-DOpIvru6.js";
+import { C as resolveToolProfilePolicy, _ as collectExplicitAllowlist, y as mergeAlsoAllowPolicy } from "./sandbox-DKscghPx.js";
+import { i as listCoreToolSections, n as PROFILE_OPTIONS, o as resolveCoreToolProfiles } from "./tool-catalog-3w4XiWhy.js";
+import { i as enableTailscaleServe, n as disableTailscaleServe, o as getTailnetHostname, r as enableTailscaleFunnel, t as disableTailscaleFunnel } from "./tailscale-DRFhBuh-.js";
+import { t as safeEqualSecret } from "./secret-equal-BN0idTaZ.js";
+import { n as pickPrimaryTailnetIPv4, r as pickPrimaryTailnetIPv6 } from "./tailnet-CInGXmk9.js";
+import { c as normalizeHostHeader, d as resolveGatewayBindHost, f as resolveGatewayListenHosts, i as isLoopbackHost, l as pickPrimaryLanIPv4, n as isLocalishHost, o as isTrustedProxyAddress, r as isLoopbackAddress, s as isValidIPv4, t as rawDataToString, u as resolveClientIp } from "./ws-BwH2d97O.js";
+import { a as resolveGatewayAuth, c as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, i as isLocalDirectRequest, l as createAuthRateLimiter, n as authorizeHttpGatewayConnect, o as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN, r as authorizeWsControlUiGatewayConnect, s as AUTH_RATE_LIMIT_SCOPE_HOOK_AUTH, t as assertGatewayAuthConfigured, u as normalizeRateLimitClientIp } from "./auth-CWHo884l.js";
+import { d as mergeGatewayTailscaleConfig, l as ensureGatewayStartupAuth, u as mergeGatewayAuthConfig } from "./server-context-CcW_Z5sB.js";
+import { d as hasBinary } from "./frontmatter-B0viix_h.js";
+import { i as loadWorkspaceSkillEntries, r as buildWorkspaceSkillSnapshot } from "./skills-Cp-zTGor.js";
+import { n as assertNoPathAliasEscape } from "./path-alias-guards-Bz8AnRb7.js";
+import { a as testRegexWithBoundedInput, i as compileSafeRegex } from "./redact-B1GVGbib.js";
+import { r as formatErrorMessage } from "./errors-ClLWB67m.js";
+import { i as openFileWithinRoot, l as writeFileWithinRoot, s as readLocalFileSafely, t as SafeOpenError } from "./fs-safe-CFIinCN2.js";
+import { n as SsrFBlockedError } from "./proxy-env-a_fwG5uV.js";
+import { t as movePathToTrash } from "./trash-DHZNy01S.js";
+import { n as readJsonFile, r as writeJsonAtomic, t as createAsyncLock } from "./json-files-BH1UBATr.js";
+import { $ as resolveMainSessionKeyFromConfig, A as readSessionPreviewItemsFromTranscript, B as evaluateSessionFreshness, C as normalizeSessionDeliveryFields, D as capArrayByJsonBytes, E as archiveSessionTranscripts, H as resolveSessionResetPolicy, I as stripInlineDirectiveTagsForDisplay, J as setSessionRuntimeModel, K as mergeSessionEntry, L as stripInlineDirectiveTagsFromMessageForDisplay, M as resolveSessionTranscriptCandidates, N as stripEnvelopeFromMessage, O as cleanupArchivedSessionTranscripts, P as stripEnvelopeFromMessages, Q as resolveMainSessionKey, R as jsonUtf8Bytes, T as archiveFileOnDisk, X as resolveAgentMainSessionKey, Y as canonicalizeMainSessionAlias, Z as resolveExplicitAgentSessionKey, ct as cleanStaleLockFiles, d as updateSessionStore, k as readSessionMessages, n as parseSessionThreadInfo, o as loadSessionStore, t as extractDeliveryInfo, tt as snapshotSessionOrigin, x as mergeDeliveryContext, y as deliveryContextFromSession } from "./sessions-BkKVGWHa.js";
+import { c as resolveStorePath, i as resolveSessionTranscriptPath, n as resolveSessionFilePath, r as resolveSessionFilePathOptions, s as resolveSessionTranscriptsDirForAgent } from "./paths-gTdorMgW.js";
+import { i as normalizeInputProvenance } from "./input-provenance-qgaZGYuK.js";
+import { o as estimateBase64DecodedBytes } from "./tool-images-BwtNIRsT.js";
+import { a as normalizeElevatedLevel, c as normalizeUsageDisplay, d as supportsXHighThinking, l as normalizeVerboseLevel, n as formatXHighModelHint, o as normalizeReasoningLevel, s as normalizeThinkLevel, t as formatThinkingLevels } from "./thinking-C0gzzPsv.js";
+import { i as resetModelCatalogCacheForTest, n as loadModelCatalog } from "./model-catalog-DtjVcDuN.js";
+import { g as registerUnhandledRejectionHandler } from "./audio-transcription-runner-bvBQs8UB.js";
+import { t as fetchWithSsrFGuard } from "./fetch-guard-hL-C2yQz.js";
+import { b as extractTextFromChatContent } from "./image-m1GU1uco.js";
+import { a as ToolInputError } from "./target-errors-CkcKdefZ.js";
+import { r as isRestartEnabled } from "./commands-BoGUirwW.js";
+import { c as hasNonzeroUsage, i as loadSessionUsageTimeSeries, n as loadCostUsageSummary, r as loadSessionCostSummary, s as deriveSessionTotalTokens, t as discoverAllSessions } from "./session-cost-usage-CBHvFXhD.js";
+import { i as normalizeDevicePublicKeyBase64Url, s as verifyDeviceSignature, t as deriveDeviceIdFromPublicKey } from "./device-identity-DtdLP7QQ.js";
+import { $ as validateNodeListParams, $t as summarizeDeviceTokens, A as validateCronRemoveParams, At as validateWebLoginWaitParams, B as validateDeviceTokenRotateParams, Bt as buildDeviceAuthPayload, C as validateConfigSchemaLookupParams, Ct as validateSkillsUpdateParams, D as validateConnectParams, Dt as validateUpdateRunParams, E as validateConfigSetParams, Et as validateToolsCatalogParams, F as validateDevicePairApproveParams, Ft as PROTOCOL_VERSION, G as validateExecApprovalsNodeSetParams, Gt as ensureDeviceToken, H as validateExecApprovalResolveParams, Ht as normalizeDeviceMetadataForAuth, I as validateDevicePairListParams, It as ErrorCodes, J as validateModelsListParams, Jt as rejectDevicePairing, K as validateExecApprovalsSetParams, Kt as getPairedDevice, L as validateDevicePairRejectParams, Lt as errorShape, M as validateCronRunsParams, Mt as validateWizardNextParams, N as validateCronStatusParams, Nt as validateWizardStartParams, O as validateCronAddParams, Ot as validateWakeParams, P as validateCronUpdateParams, Pt as validateWizardStatusParams, Q as validateNodeInvokeResultParams, Qt as rotateDeviceToken, R as validateDevicePairRemoveParams, S as validateConfigPatchParams, St as validateSkillsStatusParams, T as validateConfigSchemaParams, Tt as validateTalkModeParams, U as validateExecApprovalsGetParams, V as validateExecApprovalRequestParams, Vt as buildDeviceAuthPayloadV3, W as validateExecApprovalsNodeGetParams, Wt as approveDevicePairing, X as validateNodeEventParams, Xt as requestDevicePairing, Y as validateNodeDescribeParams, Yt as removePairedDevice, Z as validateNodeInvokeParams, Zt as revokeDeviceToken, _ as validateChatHistoryParams, _t as validateSessionsResetParams, a as validateAgentParams, at as validateNodeRenameParams, b as validateConfigApplyParams, bt as validateSkillsBinsParams, c as validateAgentsDeleteParams, ct as validateRequestFrame, d as validateAgentsFilesSetParams, dt as validateSendParams, en as updatePairedDeviceMetadata, et as validateNodePairApproveParams, f as validateAgentsListParams, ft as validateSessionsCompactParams, g as validateChatAbortParams, gt as validateSessionsPreviewParams, h as validateChannelsStatusParams, ht as validateSessionsPatchParams, i as validateAgentIdentityParams, it as validateNodePairVerifyParams, j as validateCronRunParams, jt as validateWizardCancelParams, k as validateCronListParams, kt as validateWebLoginStartParams, l as validateAgentsFilesGetParams, lt as validateSecretsResolveParams, m as validateChannelsLogoutParams, mt as validateSessionsListParams, nn as roleScopesAllow, nt as validateNodePairRejectParams, o as validateAgentWaitParams, ot as validatePollParams, p as validateAgentsUpdateParams, pt as validateSessionsDeleteParams, q as validateLogsTailParams, qt as listDevicePairing, r as formatValidationErrors, rt as validateNodePairRequestParams, s as validateAgentsCreateParams, st as validatePushTestParams, tn as verifyDeviceToken, tt as validateNodePairListParams, u as validateAgentsFilesListParams, ut as validateSecretsResolveResult, v as validateChatInjectParams, vt as validateSessionsResolveParams, w as validateConfigSchemaLookupResult, wt as validateTalkConfigParams, x as validateConfigGetParams, xt as validateSkillsInstallParams, y as validateChatSendParams, yt as validateSessionsUsageParams, z as validateDeviceTokenRevokeParams, zt as parseSessionLabel } from "./client-Bvvecv3V.js";
+import { c as ADMIN_SCOPE$3, d as isNodeRoleMethod, p as loadGatewayTlsRuntime$1, u as authorizeOperatorScopesForMethod } from "./call-DL23sPxF.js";
+import { a as readChannelAllowFromStoreSync } from "./pairing-store-CXFEv3Gr.js";
+import { a as mergeExecApprovalsSocketDefaults, c as readExecApprovalsSnapshot, p as saveExecApprovals, r as ensureExecApprovals, s as normalizeExecApprovals, t as DEFAULT_EXEC_APPROVAL_TIMEOUT_MS } from "./exec-approvals-Bh1osORd.js";
+import { _ as matchSystemRunApprovalBinding, g as buildSystemRunApprovalBinding, h as resolveSystemRunApprovalRuntimeContext, m as resolveSystemRunApprovalRequestContext, v as missingSystemRunApprovalBinding, y as toSystemRunApprovalMismatchError } from "./nodes-screen-X8daVm8e.js";
+import { n as resolveSystemRunCommand } from "./system-run-command-Kw0jxir0.js";
+import { a as loadCombinedSessionStoreForGateway, c as resolveGatewaySessionStoreTarget, f as computeBackoff, i as listSessionsFromStore, l as resolveSessionModelRef, o as loadSessionEntry, p as sleepWithAbort, r as listAgentsForGateway, s as pruneLegacyStoreKeys, t as canonicalizeSpawnedByForAgent, u as lookupContextTokens } from "./session-utils-t4ZmEDMj.js";
+import { _ as updatePairedNodeMetadata, a as getRemoteSkillEligibility, b as getSkillsSnapshotVersion, c as refreshRemoteBinsForConnectedNodes, d as setSkillsRemoteRegistry, f as approveNodePairing, g as requestNodePairing, h as renamePairedNode, l as refreshRemoteNodeBins, m as rejectNodePairing, o as primeRemoteSkillsCache, p as listNodePairing, s as recordRemoteNodeInfo, u as removeRemoteNodeInfo, v as verifyNodeToken, x as registerSkillsChangeListener } from "./skill-commands-Dyi0nIIE.js";
+import { a as resolveSubagentToolPolicy, i as resolveGroupToolPolicy, r as resolveEffectiveToolPolicy } from "./pi-tools.policy-U1G3dAzL.js";
+import { t as listAgentWorkspaceDirs } from "./workspace-dirs-BgwJ2Axm.js";
+import { t as getChannelActivity } from "./channel-activity-DItBzFyQ.js";
+import { n as normalizePollInput } from "./polls-QrTzhQf5.js";
+import { i as startBrowserControlServiceFromConfig, n as createBrowserRouteDispatcher, r as createBrowserControlContext } from "./with-timeout-DKgjtZv2.js";
+import { i as parseAbsoluteTimeMs, n as resolveCronStaggerMs, r as resolveDefaultCronStaggerMs, t as normalizeCronStaggerMs } from "./stagger-Cek4Eizw.js";
+import { n as resolveMessageChannelSelection } from "./channel-selection-BnXQH0vV.js";
+import { i as buildChannelUiCatalog, t as applyPluginAutoEnable } from "./plugin-auto-enable-3v7X3qMK.js";
+import { n as GATEWAY_AUTH_SURFACE_PATHS, p as isKnownSecretTargetId, r as evaluateGatewayAuthSurfaceStates } from "./runtime-config-collectors-CML7zUqZ.js";
+import { C as normalizeControlUiBasePath, S as buildControlUiAvatarUrl, w as resolveAssistantAvatarUrl, x as CONTROL_UI_AVATAR_PREFIX } from "./onboard-helpers-BkwNJPNU.js";
+import { i as resolveMemoryBackendConfig, r as getMemorySearchManager } from "./memory-cli-yvsbLFgi.js";
+import { i as resolveMemorySearchConfig } from "./manager-BVqjeGyT.js";
+import { t as buildWorkspaceSkillStatus } from "./skills-status-NIhVZfqm.js";
+import { i as onHeartbeatEvent, r as getLastHeartbeatEvent, t as resolveHeartbeatVisibility } from "./heartbeat-visibility-C_P1yurK.js";
+import { t as ensureOpenClawCliOnPath } from "./path-env-CgmdxEc7.js";
+import { n as DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools-B9LIt3MU.js";
+import { t as WizardCancelledError } from "./prompts-DomsZukd.js";
+import { t as resolveChannelDefaultAccountId } from "./helpers-DDBxLojl.js";
+import { a as pruneAgentConfig, i as loadAgentIdentity, r as findAgentEntryIndex, t as applyAgentConfig } from "./agents.config-OuZqDEe6.js";
+import { t as isWithinDir } from "./path-safety-EkGa1GqP.js";
+import { n as formatConfigIssueLines } from "./issue-format-BMPYbT1P.js";
+import { t as buildChannelAccountSnapshot } from "./status-DNPn0STZ.js";
+import { a as buildBaseHints, i as applySensitiveHints, n as redactConfigSnapshot, o as mapSensitivePaths, r as restoreRedactedValues, s as applyDerivedTags, t as redactConfigObject } from "./redact-snapshot-DDgxiqE4.js";
+import { n as resolveWideAreaDiscoveryDomain, r as writeWideAreaGatewayZone } from "./widearea-dns-9PZLZ6zk.js";
+import { r as getStatusSummary } from "./status-DN8lRmcz.js";
+import { c as setHeartbeatsEnabled, l as startHeartbeatRunner, n as getHealthSnapshot, s as runHeartbeatOnce, u as isCronSystemEvent } from "./health-Cs-k6kLT.js";
+import { a as resolveControlUiRootSync, i as resolveControlUiRootOverrideSync, t as ensureControlUiAssetsBuilt } from "./control-ui-assets-Co9rmXkB.js";
+import { h as normalizeUpdateChannel, l as DEFAULT_PACKAGE_CHANNEL, n as checkUpdateStatus, o as resolveNpmChannelTag, r as compareSemverStrings } from "./channel-account-context-DGbGZhGz.js";
+import { a as resolveCommandSecretsFromActiveRuntimeSnapshot, i as prepareSecretsRuntimeSnapshot, n as clearSecretsRuntimeSnapshot, r as getActiveSecretsRuntimeSnapshot, t as activateSecretsRuntimeSnapshot } from "./runtime-BBknab-X.js";
+import { t as runOnboardingWizard } from "./onboarding-gbgi-zx9.js";
+import { a as sendApnsAlert, c as parseMessageWithAttachments, d as shouldLogWs, f as summarizeAgentEventForWsLog, i as resolveApnsAuthConfigFromEnv, l as formatForLog, n as normalizeApnsEnvironment, o as sendApnsBackgroundWake, s as normalizeRpcAttachmentsToChatAttachments, t as loadApnsRegistration, u as logWs } from "./push-apns-D7Kl5IlU.js";
+import { T as resolveGmailHookRuntimeConfig, _ as buildGogWatchServeArgs, i as ensureTailscaleEndpoint, v as buildGogWatchStartArgs } from "./gmail-setup-utils-DuoBM8ed.js";
+import { n as isNodeCommandAllowed, r as resolveNodeCommandAllowlist } from "./node-command-policy-CeKPGmlP.js";
+import { n as collectEnabledInsecureOrDangerousFlags } from "./audit-BWNRwu8g.js";
+import { t as installSkill } from "./skills-install-LXdiRh5j.js";
+import { t as runGatewayUpdate } from "./update-runner-BDHtvoca.js";
+import { t as GatewayLockError } from "./gateway-lock-DNpln_70.js";
+import { i as shouldIncludeHook, r as resolveHookConfig, t as loadWorkspaceHookEntries } from "./workspace-CedZZfvJ.js";
 import { spawn, spawnSync } from "node:child_process";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import os from "node:os";
@@ -176,816 +114,14 @@ import fs$1 from "node:fs/promises";
 import crypto, { createHash, randomBytes, randomUUID } from "node:crypto";
 import { z } from "zod";
 import { CURRENT_SESSION_VERSION, SessionManager } from "@mariozechner/pi-coding-agent";
-import net from "node:net";
-import http, { createServer as createServer$1 } from "node:http";
-import { createServer as createServer$2 } from "node:https";
+import http, { createServer } from "node:http";
+import { createServer as createServer$1 } from "node:https";
 import { WebSocketServer } from "ws";
 import { Buffer as Buffer$1 } from "node:buffer";
 import chokidar from "chokidar";
 import { Cron } from "croner";
 import { AsyncLocalStorage } from "node:async_hooks";
-//#region src/infra/ssh-config.ts
-function parsePort(value) {
-	if (!value) return;
-	const parsed = Number.parseInt(value, 10);
-	if (!Number.isFinite(parsed) || parsed <= 0) return;
-	return parsed;
-}
-function parseSshConfigOutput(output) {
-	const result = { identityFiles: [] };
-	const lines = output.split("\n");
-	for (const raw of lines) {
-		const line = raw.trim();
-		if (!line) continue;
-		const [key, ...rest] = line.split(/\s+/);
-		const value = rest.join(" ").trim();
-		if (!key || !value) continue;
-		switch (key) {
-			case "user":
-				result.user = value;
-				break;
-			case "hostname":
-				result.host = value;
-				break;
-			case "port":
-				result.port = parsePort(value);
-				break;
-			case "identityfile":
-				if (value !== "none") result.identityFiles.push(value);
-				break;
-			default: break;
-		}
-	}
-	return result;
-}
-async function resolveSshConfig(target, opts = {}) {
-	const sshPath = "/usr/bin/ssh";
-	const args = ["-G"];
-	if (target.port > 0 && target.port !== 22) args.push("-p", String(target.port));
-	if (opts.identity?.trim()) args.push("-i", opts.identity.trim());
-	const userHost = target.user ? `${target.user}@${target.host}` : target.host;
-	args.push("--", userHost);
-	return await new Promise((resolve) => {
-		const child = spawn(sshPath, args, { stdio: [
-			"ignore",
-			"pipe",
-			"ignore"
-		] });
-		let stdout = "";
-		child.stdout?.setEncoding("utf8");
-		child.stdout?.on("data", (chunk) => {
-			stdout += String(chunk);
-		});
-		const timeoutMs = Math.max(200, opts.timeoutMs ?? 800);
-		const timer = setTimeout(() => {
-			try {
-				child.kill("SIGKILL");
-			} finally {
-				resolve(null);
-			}
-		}, timeoutMs);
-		child.once("error", () => {
-			clearTimeout(timer);
-			resolve(null);
-		});
-		child.once("exit", (code) => {
-			clearTimeout(timer);
-			if (code !== 0 || !stdout.trim()) {
-				resolve(null);
-				return;
-			}
-			resolve(parseSshConfigOutput(stdout));
-		});
-	});
-}
-//#endregion
-//#region src/infra/ssh-tunnel.ts
-function parseSshTarget(raw) {
-	const trimmed = raw.trim().replace(/^ssh\s+/, "");
-	if (!trimmed) return null;
-	const [userPart, hostPart] = trimmed.includes("@") ? (() => {
-		const idx = trimmed.indexOf("@");
-		const user = trimmed.slice(0, idx).trim();
-		const host = trimmed.slice(idx + 1).trim();
-		return [user || void 0, host];
-	})() : [void 0, trimmed];
-	const colonIdx = hostPart.lastIndexOf(":");
-	if (colonIdx > 0 && colonIdx < hostPart.length - 1) {
-		const host = hostPart.slice(0, colonIdx).trim();
-		const portRaw = hostPart.slice(colonIdx + 1).trim();
-		const port = Number.parseInt(portRaw, 10);
-		if (!host || !Number.isFinite(port) || port <= 0) return null;
-		if (host.startsWith("-")) return null;
-		return {
-			user: userPart,
-			host,
-			port
-		};
-	}
-	if (!hostPart) return null;
-	if (hostPart.startsWith("-")) return null;
-	return {
-		user: userPart,
-		host: hostPart,
-		port: 22
-	};
-}
-async function pickEphemeralPort() {
-	return await new Promise((resolve, reject) => {
-		const server = net.createServer();
-		server.once("error", reject);
-		server.listen(0, "127.0.0.1", () => {
-			const addr = server.address();
-			server.close(() => {
-				if (!addr || typeof addr === "string") {
-					reject(/* @__PURE__ */ new Error("failed to allocate a local port"));
-					return;
-				}
-				resolve(addr.port);
-			});
-		});
-	});
-}
-async function canConnectLocal(port) {
-	return await new Promise((resolve) => {
-		const socket = net.connect({
-			host: "127.0.0.1",
-			port
-		});
-		const done = (ok) => {
-			socket.removeAllListeners();
-			socket.destroy();
-			resolve(ok);
-		};
-		socket.once("connect", () => done(true));
-		socket.once("error", () => done(false));
-		socket.setTimeout(250, () => done(false));
-	});
-}
-async function waitForLocalListener(port, timeoutMs) {
-	const startedAt = Date.now();
-	while (Date.now() - startedAt < timeoutMs) {
-		if (await canConnectLocal(port)) return;
-		await new Promise((r) => setTimeout(r, 50));
-	}
-	throw new Error(`ssh tunnel did not start listening on localhost:${port}`);
-}
-async function startSshPortForward(opts) {
-	const parsed = parseSshTarget(opts.target);
-	if (!parsed) throw new Error(`invalid SSH target: ${opts.target}`);
-	let localPort = opts.localPortPreferred;
-	try {
-		await ensurePortAvailable(localPort);
-	} catch (err) {
-		if (isErrno(err) && err.code === "EADDRINUSE") localPort = await pickEphemeralPort();
-		else throw err;
-	}
-	const userHost = parsed.user ? `${parsed.user}@${parsed.host}` : parsed.host;
-	const args = [
-		"-N",
-		"-L",
-		`${localPort}:127.0.0.1:${opts.remotePort}`,
-		"-p",
-		String(parsed.port),
-		"-o",
-		"ExitOnForwardFailure=yes",
-		"-o",
-		"BatchMode=yes",
-		"-o",
-		"StrictHostKeyChecking=yes",
-		"-o",
-		"UpdateHostKeys=yes",
-		"-o",
-		"ConnectTimeout=5",
-		"-o",
-		"ServerAliveInterval=15",
-		"-o",
-		"ServerAliveCountMax=3"
-	];
-	if (opts.identity?.trim()) args.push("-i", opts.identity.trim());
-	args.push("--", userHost);
-	const stderr = [];
-	const child = spawn("/usr/bin/ssh", args, { stdio: [
-		"ignore",
-		"ignore",
-		"pipe"
-	] });
-	child.stderr?.setEncoding("utf8");
-	child.stderr?.on("data", (chunk) => {
-		const lines = String(chunk).split("\n").map((l) => l.trim()).filter(Boolean);
-		stderr.push(...lines);
-	});
-	const stop = async () => {
-		if (child.killed) return;
-		child.kill("SIGTERM");
-		await new Promise((resolve) => {
-			const t = setTimeout(() => {
-				try {
-					child.kill("SIGKILL");
-				} finally {
-					resolve();
-				}
-			}, 1500);
-			child.once("exit", () => {
-				clearTimeout(t);
-				resolve();
-			});
-		});
-	};
-	try {
-		await Promise.race([waitForLocalListener(localPort, Math.max(250, opts.timeoutMs)), new Promise((_, reject) => {
-			child.once("exit", (code, signal) => {
-				reject(/* @__PURE__ */ new Error(`ssh exited (${code ?? "null"}${signal ? `/${signal}` : ""})`));
-			});
-		})]);
-	} catch (err) {
-		await stop();
-		const suffix = stderr.length > 0 ? `\n${stderr.join("\n")}` : "";
-		throw new Error(`${err instanceof Error ? err.message : String(err)}${suffix}`, { cause: err });
-	}
-	return {
-		parsedTarget: parsed,
-		localPort,
-		remotePort: opts.remotePort,
-		pid: typeof child.pid === "number" ? child.pid : null,
-		stderr,
-		stop
-	};
-}
-//#endregion
-//#region src/commands/gateway-status/helpers.ts
-function parseIntOrNull(value) {
-	const s = typeof value === "string" ? value.trim() : typeof value === "number" || typeof value === "bigint" ? String(value) : "";
-	if (!s) return null;
-	const n = Number.parseInt(s, 10);
-	return Number.isFinite(n) ? n : null;
-}
-function parseTimeoutMs(raw, fallbackMs) {
-	const value = typeof raw === "string" ? raw.trim() : typeof raw === "number" || typeof raw === "bigint" ? String(raw) : "";
-	if (!value) return fallbackMs;
-	const parsed = Number.parseInt(value, 10);
-	if (!Number.isFinite(parsed) || parsed <= 0) throw new Error(`invalid --timeout: ${value}`);
-	return parsed;
-}
-function normalizeWsUrl(value) {
-	const trimmed = value.trim();
-	if (!trimmed) return null;
-	if (!trimmed.startsWith("ws://") && !trimmed.startsWith("wss://")) return null;
-	return trimmed;
-}
-function resolveTargets(cfg, explicitUrl) {
-	const targets = [];
-	const add = (t) => {
-		if (!targets.some((x) => x.url === t.url)) targets.push(t);
-	};
-	const explicit = typeof explicitUrl === "string" ? normalizeWsUrl(explicitUrl) : null;
-	if (explicit) add({
-		id: "explicit",
-		kind: "explicit",
-		url: explicit,
-		active: true
-	});
-	const remoteUrl = typeof cfg.gateway?.remote?.url === "string" ? normalizeWsUrl(cfg.gateway.remote.url) : null;
-	if (remoteUrl) add({
-		id: "configRemote",
-		kind: "configRemote",
-		url: remoteUrl,
-		active: cfg.gateway?.mode === "remote"
-	});
-	add({
-		id: "localLoopback",
-		kind: "localLoopback",
-		url: `ws://127.0.0.1:${resolveGatewayPort(cfg)}`,
-		active: cfg.gateway?.mode !== "remote"
-	});
-	return targets;
-}
-function resolveProbeBudgetMs(overallMs, kind) {
-	if (kind === "localLoopback") return Math.min(800, overallMs);
-	if (kind === "sshTunnel") return Math.min(2e3, overallMs);
-	return Math.min(1500, overallMs);
-}
-function sanitizeSshTarget(value) {
-	if (typeof value !== "string") return null;
-	const trimmed = value.trim();
-	if (!trimmed) return null;
-	return trimmed.replace(/^ssh\\s+/, "");
-}
-function readGatewayTokenEnv(env = process.env) {
-	return env.OPENCLAW_GATEWAY_TOKEN?.trim() || env.CLAWDBOT_GATEWAY_TOKEN?.trim() || void 0;
-}
-function readGatewayPasswordEnv(env = process.env) {
-	return env.OPENCLAW_GATEWAY_PASSWORD?.trim() || env.CLAWDBOT_GATEWAY_PASSWORD?.trim() || void 0;
-}
-async function resolveAuthForTarget(cfg, target, overrides) {
-	const tokenOverride = overrides.token?.trim() ? overrides.token.trim() : void 0;
-	const passwordOverride = overrides.password?.trim() ? overrides.password.trim() : void 0;
-	if (tokenOverride || passwordOverride) return {
-		token: tokenOverride,
-		password: passwordOverride
-	};
-	const diagnostics = [];
-	const authMode = cfg.gateway?.auth?.mode;
-	const tokenOnly = authMode === "token";
-	const passwordOnly = authMode === "password";
-	const resolveToken = async (value, path) => {
-		const tokenResolution = await resolveConfiguredSecretInputString({
-			config: cfg,
-			env: process.env,
-			value,
-			path,
-			unresolvedReasonStyle: "detailed"
-		});
-		if (tokenResolution.unresolvedRefReason) diagnostics.push(tokenResolution.unresolvedRefReason);
-		return tokenResolution.value;
-	};
-	const resolvePassword = async (value, path) => {
-		const passwordResolution = await resolveConfiguredSecretInputString({
-			config: cfg,
-			env: process.env,
-			value,
-			path,
-			unresolvedReasonStyle: "detailed"
-		});
-		if (passwordResolution.unresolvedRefReason) diagnostics.push(passwordResolution.unresolvedRefReason);
-		return passwordResolution.value;
-	};
-	if (target.kind === "configRemote" || target.kind === "sshTunnel") {
-		const remoteTokenValue = cfg.gateway?.remote?.token;
-		const remotePasswordValue = (cfg.gateway?.remote)?.password;
-		const token = await resolveToken(remoteTokenValue, "gateway.remote.token");
-		return {
-			token,
-			password: token ? void 0 : await resolvePassword(remotePasswordValue, "gateway.remote.password"),
-			...diagnostics.length > 0 ? { diagnostics } : {}
-		};
-	}
-	if (authMode === "none" || authMode === "trusted-proxy") return {};
-	const envToken = readGatewayTokenEnv();
-	const envPassword = readGatewayPasswordEnv();
-	if (tokenOnly) {
-		if (envToken) return { token: envToken };
-		return {
-			token: await resolveToken(cfg.gateway?.auth?.token, "gateway.auth.token"),
-			...diagnostics.length > 0 ? { diagnostics } : {}
-		};
-	}
-	if (passwordOnly) {
-		if (envPassword) return { password: envPassword };
-		return {
-			password: await resolvePassword(cfg.gateway?.auth?.password, "gateway.auth.password"),
-			...diagnostics.length > 0 ? { diagnostics } : {}
-		};
-	}
-	if (envToken) return { token: envToken };
-	const token = await resolveToken(cfg.gateway?.auth?.token, "gateway.auth.token");
-	if (token) return {
-		token,
-		...diagnostics.length > 0 ? { diagnostics } : {}
-	};
-	if (envPassword) return {
-		password: envPassword,
-		...diagnostics.length > 0 ? { diagnostics } : {}
-	};
-	return {
-		token,
-		password: await resolvePassword(cfg.gateway?.auth?.password, "gateway.auth.password"),
-		...diagnostics.length > 0 ? { diagnostics } : {}
-	};
-}
-function extractConfigSummary(snapshotUnknown) {
-	const snap = snapshotUnknown;
-	const path = typeof snap?.path === "string" ? snap.path : null;
-	const exists = Boolean(snap?.exists);
-	const valid = Boolean(snap?.valid);
-	const issuesRaw = Array.isArray(snap?.issues) ? snap.issues : [];
-	const legacyRaw = Array.isArray(snap?.legacyIssues) ? snap.legacyIssues : [];
-	const cfg = snap?.config ?? {};
-	const gateway = cfg.gateway ?? {};
-	const secretDefaults = (cfg.secrets ?? {}).defaults ?? void 0;
-	const wideArea = (cfg.discovery ?? {}).wideArea ?? {};
-	const remote = gateway.remote ?? {};
-	const auth = gateway.auth ?? {};
-	const controlUi = gateway.controlUi ?? {};
-	const tailscale = gateway.tailscale ?? {};
-	const authMode = typeof auth.mode === "string" ? auth.mode : null;
-	const authTokenConfigured = hasConfiguredSecretInput(auth.token, secretDefaults);
-	const authPasswordConfigured = hasConfiguredSecretInput(auth.password, secretDefaults);
-	const remoteUrl = typeof remote.url === "string" ? normalizeWsUrl(remote.url) : null;
-	const remoteTokenConfigured = hasConfiguredSecretInput(remote.token, secretDefaults);
-	const remotePasswordConfigured = hasConfiguredSecretInput(remote.password, secretDefaults);
-	const wideAreaEnabled = typeof wideArea.enabled === "boolean" ? wideArea.enabled : null;
-	return {
-		path,
-		exists,
-		valid,
-		issues: issuesRaw.filter((i) => Boolean(i && typeof i.path === "string" && typeof i.message === "string")).map((i) => ({
-			path: i.path,
-			message: i.message
-		})),
-		legacyIssues: legacyRaw.filter((i) => Boolean(i && typeof i.path === "string" && typeof i.message === "string")).map((i) => ({
-			path: i.path,
-			message: i.message
-		})),
-		gateway: {
-			mode: typeof gateway.mode === "string" ? gateway.mode : null,
-			bind: typeof gateway.bind === "string" ? gateway.bind : null,
-			port: parseIntOrNull(gateway.port),
-			controlUiEnabled: typeof controlUi.enabled === "boolean" ? controlUi.enabled : null,
-			controlUiBasePath: typeof controlUi.basePath === "string" ? controlUi.basePath : null,
-			authMode,
-			authTokenConfigured,
-			authPasswordConfigured,
-			remoteUrl,
-			remoteTokenConfigured,
-			remotePasswordConfigured,
-			tailscaleMode: typeof tailscale.mode === "string" ? tailscale.mode : null
-		},
-		discovery: { wideAreaEnabled }
-	};
-}
-function buildNetworkHints(cfg) {
-	const tailnetIPv4 = pickPrimaryTailnetIPv4();
-	const port = resolveGatewayPort(cfg);
-	return {
-		localLoopbackUrl: `ws://127.0.0.1:${port}`,
-		localTailnetUrl: tailnetIPv4 ? `ws://${tailnetIPv4}:${port}` : null,
-		tailnetIPv4: tailnetIPv4 ?? null
-	};
-}
-function renderTargetHeader(target, rich) {
-	const kindLabel = target.kind === "localLoopback" ? "Local loopback" : target.kind === "sshTunnel" ? "Remote over SSH" : target.kind === "configRemote" ? target.active ? "Remote (configured)" : "Remote (configured, inactive)" : "URL (explicit)";
-	return `${colorize(rich, theme.heading, kindLabel)} ${colorize(rich, theme.muted, target.url)}`;
-}
-function renderProbeSummaryLine(probe, rich) {
-	if (probe.ok) {
-		const latency = typeof probe.connectLatencyMs === "number" ? `${probe.connectLatencyMs}ms` : "unknown";
-		return `${colorize(rich, theme.success, "Connect: ok")} (${latency}) · ${colorize(rich, theme.success, "RPC: ok")}`;
-	}
-	const detail = probe.error ? ` - ${probe.error}` : "";
-	if (probe.connectLatencyMs != null) {
-		const latency = typeof probe.connectLatencyMs === "number" ? `${probe.connectLatencyMs}ms` : "unknown";
-		return `${colorize(rich, theme.success, "Connect: ok")} (${latency}) · ${colorize(rich, theme.error, "RPC: failed")}${detail}`;
-	}
-	return `${colorize(rich, theme.error, "Connect: failed")}${detail}`;
-}
-//#endregion
-//#region src/commands/gateway-status.ts
-async function gatewayStatusCommand(opts, runtime) {
-	const startedAt = Date.now();
-	const cfg = loadConfig();
-	const rich = isRich() && opts.json !== true;
-	const overallTimeoutMs = parseTimeoutMs(opts.timeout, 3e3);
-	const wideAreaDomain = resolveWideAreaDiscoveryDomain({ configDomain: cfg.discovery?.wideArea?.domain });
-	const baseTargets = resolveTargets(cfg, opts.url);
-	const network = buildNetworkHints(cfg);
-	const discoveryTimeoutMs = Math.min(1200, overallTimeoutMs);
-	const discoveryPromise = discoverGatewayBeacons({
-		timeoutMs: discoveryTimeoutMs,
-		wideAreaDomain
-	});
-	let sshTarget = sanitizeSshTarget(opts.ssh) ?? sanitizeSshTarget(cfg.gateway?.remote?.sshTarget);
-	let sshIdentity = sanitizeSshTarget(opts.sshIdentity) ?? sanitizeSshTarget(cfg.gateway?.remote?.sshIdentity);
-	const remotePort = resolveGatewayPort(cfg);
-	let sshTunnelError = null;
-	let sshTunnelStarted = false;
-	if (!sshTarget) sshTarget = inferSshTargetFromRemoteUrl(cfg.gateway?.remote?.url);
-	if (sshTarget) {
-		const resolved = await resolveSshTarget(sshTarget, sshIdentity, overallTimeoutMs);
-		if (resolved) {
-			sshTarget = resolved.target;
-			if (!sshIdentity && resolved.identity) sshIdentity = resolved.identity;
-		}
-	}
-	const { discovery, probed } = await withProgress({
-		label: "Inspecting gateways…",
-		indeterminate: true,
-		enabled: opts.json !== true
-	}, async () => {
-		const tryStartTunnel = async () => {
-			if (!sshTarget) return null;
-			try {
-				const tunnel = await startSshPortForward({
-					target: sshTarget,
-					identity: sshIdentity ?? void 0,
-					localPortPreferred: remotePort,
-					remotePort,
-					timeoutMs: Math.min(1500, overallTimeoutMs)
-				});
-				sshTunnelStarted = true;
-				return tunnel;
-			} catch (err) {
-				sshTunnelError = err instanceof Error ? err.message : String(err);
-				return null;
-			}
-		};
-		const discoveryTask = discoveryPromise.catch(() => []);
-		const tunnelTask = sshTarget ? tryStartTunnel() : Promise.resolve(null);
-		const [discovery, tunnelFirst] = await Promise.all([discoveryTask, tunnelTask]);
-		if (!sshTarget && opts.sshAuto) {
-			const user = process.env.USER?.trim() || "";
-			const candidates = discovery.map((b) => {
-				const host = b.tailnetDns || b.lanHost || b.host;
-				if (!host?.trim()) return null;
-				const sshPort = typeof b.sshPort === "number" && b.sshPort > 0 ? b.sshPort : 22;
-				const base = user ? `${user}@${host.trim()}` : host.trim();
-				return sshPort !== 22 ? `${base}:${sshPort}` : base;
-			}).filter((candidate) => Boolean(candidate && parseSshTarget(candidate)));
-			if (candidates.length > 0) sshTarget = candidates[0] ?? null;
-		}
-		const tunnel = tunnelFirst || (sshTarget && !sshTunnelStarted && !sshTunnelError ? await tryStartTunnel() : null);
-		const tunnelTarget = tunnel ? {
-			id: "sshTunnel",
-			kind: "sshTunnel",
-			url: `ws://127.0.0.1:${tunnel.localPort}`,
-			active: true,
-			tunnel: {
-				kind: "ssh",
-				target: sshTarget ?? "",
-				localPort: tunnel.localPort,
-				remotePort,
-				pid: tunnel.pid
-			}
-		} : null;
-		const targets = tunnelTarget ? [tunnelTarget, ...baseTargets.filter((t) => t.url !== tunnelTarget.url)] : baseTargets;
-		try {
-			return {
-				discovery,
-				probed: await Promise.all(targets.map(async (target) => {
-					const authResolution = await resolveAuthForTarget(cfg, target, {
-						token: typeof opts.token === "string" ? opts.token : void 0,
-						password: typeof opts.password === "string" ? opts.password : void 0
-					});
-					const auth = {
-						token: authResolution.token,
-						password: authResolution.password
-					};
-					const timeoutMs = resolveProbeBudgetMs(overallTimeoutMs, target.kind);
-					const probe = await probeGateway({
-						url: target.url,
-						auth,
-						timeoutMs
-					});
-					return {
-						target,
-						probe,
-						configSummary: probe.configSnapshot ? extractConfigSummary(probe.configSnapshot) : null,
-						self: pickGatewaySelfPresence(probe.presence),
-						authDiagnostics: authResolution.diagnostics ?? []
-					};
-				}))
-			};
-		} finally {
-			if (tunnel) try {
-				await tunnel.stop();
-			} catch {}
-		}
-	});
-	const reachable = probed.filter((p) => p.probe.ok);
-	const ok = reachable.length > 0;
-	const multipleGateways = reachable.length > 1;
-	const primary = reachable.find((p) => p.target.kind === "explicit") ?? reachable.find((p) => p.target.kind === "sshTunnel") ?? reachable.find((p) => p.target.kind === "configRemote") ?? reachable.find((p) => p.target.kind === "localLoopback") ?? null;
-	const warnings = [];
-	if (sshTarget && !sshTunnelStarted) warnings.push({
-		code: "ssh_tunnel_failed",
-		message: sshTunnelError ? `SSH tunnel failed: ${String(sshTunnelError)}` : "SSH tunnel failed to start; falling back to direct probes."
-	});
-	if (multipleGateways) warnings.push({
-		code: "multiple_gateways",
-		message: "Unconventional setup: multiple reachable gateways detected. Usually one gateway per network is recommended unless you intentionally run isolated profiles, like a rescue bot (see docs: /gateway#multiple-gateways-same-host).",
-		targetIds: reachable.map((p) => p.target.id)
-	});
-	for (const result of probed) {
-		if (result.authDiagnostics.length === 0) continue;
-		for (const diagnostic of result.authDiagnostics) warnings.push({
-			code: "auth_secretref_unresolved",
-			message: diagnostic,
-			targetIds: [result.target.id]
-		});
-	}
-	if (opts.json) {
-		runtime.log(JSON.stringify({
-			ok,
-			ts: Date.now(),
-			durationMs: Date.now() - startedAt,
-			timeoutMs: overallTimeoutMs,
-			primaryTargetId: primary?.target.id ?? null,
-			warnings,
-			network,
-			discovery: {
-				timeoutMs: discoveryTimeoutMs,
-				count: discovery.length,
-				beacons: discovery.map((b) => ({
-					instanceName: b.instanceName,
-					displayName: b.displayName ?? null,
-					domain: b.domain ?? null,
-					host: b.host ?? null,
-					lanHost: b.lanHost ?? null,
-					tailnetDns: b.tailnetDns ?? null,
-					gatewayPort: b.gatewayPort ?? null,
-					sshPort: b.sshPort ?? null,
-					wsUrl: (() => {
-						const host = b.tailnetDns || b.lanHost || b.host;
-						const port = b.gatewayPort ?? 18789;
-						return host ? `ws://${host}:${port}` : null;
-					})()
-				}))
-			},
-			targets: probed.map((p) => ({
-				id: p.target.id,
-				kind: p.target.kind,
-				url: p.target.url,
-				active: p.target.active,
-				tunnel: p.target.tunnel ?? null,
-				connect: {
-					ok: p.probe.ok,
-					latencyMs: p.probe.connectLatencyMs,
-					error: p.probe.error,
-					close: p.probe.close
-				},
-				self: p.self,
-				config: p.configSummary,
-				health: p.probe.health,
-				summary: p.probe.status,
-				presence: p.probe.presence
-			}))
-		}, null, 2));
-		if (!ok) runtime.exit(1);
-		return;
-	}
-	runtime.log(colorize(rich, theme.heading, "Gateway Status"));
-	runtime.log(ok ? `${colorize(rich, theme.success, "Reachable")}: yes` : `${colorize(rich, theme.error, "Reachable")}: no`);
-	runtime.log(colorize(rich, theme.muted, `Probe budget: ${overallTimeoutMs}ms`));
-	if (warnings.length > 0) {
-		runtime.log("");
-		runtime.log(colorize(rich, theme.warn, "Warning:"));
-		for (const w of warnings) runtime.log(`- ${w.message}`);
-	}
-	runtime.log("");
-	runtime.log(colorize(rich, theme.heading, "Discovery (this machine)"));
-	const discoveryDomains = wideAreaDomain ? `local. + ${wideAreaDomain}` : "local.";
-	runtime.log(discovery.length > 0 ? `Found ${discovery.length} gateway(s) via Bonjour (${discoveryDomains})` : `Found 0 gateways via Bonjour (${discoveryDomains})`);
-	if (discovery.length === 0) runtime.log(colorize(rich, theme.muted, "Tip: if the gateway is remote, mDNS won’t cross networks; use Wide-Area Bonjour (split DNS) or SSH tunnels."));
-	runtime.log("");
-	runtime.log(colorize(rich, theme.heading, "Targets"));
-	for (const p of probed) {
-		runtime.log(renderTargetHeader(p.target, rich));
-		runtime.log(`  ${renderProbeSummaryLine(p.probe, rich)}`);
-		if (p.target.tunnel?.kind === "ssh") runtime.log(`  ${colorize(rich, theme.muted, "ssh")}: ${colorize(rich, theme.command, p.target.tunnel.target)}`);
-		if (p.probe.ok && p.self) {
-			const host = p.self.host ?? "unknown";
-			const ip = p.self.ip ? ` (${p.self.ip})` : "";
-			const platform = p.self.platform ? ` · ${p.self.platform}` : "";
-			const version = p.self.version ? ` · app ${p.self.version}` : "";
-			runtime.log(`  ${colorize(rich, theme.info, "Gateway")}: ${host}${ip}${platform}${version}`);
-		}
-		if (p.configSummary) {
-			const c = p.configSummary;
-			const wideArea = c.discovery.wideAreaEnabled === true ? "enabled" : c.discovery.wideAreaEnabled === false ? "disabled" : "unknown";
-			runtime.log(`  ${colorize(rich, theme.info, "Wide-area discovery")}: ${wideArea}`);
-		}
-		runtime.log("");
-	}
-	if (!ok) runtime.exit(1);
-}
-function inferSshTargetFromRemoteUrl(rawUrl) {
-	if (typeof rawUrl !== "string") return null;
-	const trimmed = rawUrl.trim();
-	if (!trimmed) return null;
-	let host = null;
-	try {
-		host = new URL(trimmed).hostname || null;
-	} catch {
-		return null;
-	}
-	if (!host) return null;
-	const user = process.env.USER?.trim() || "";
-	return user ? `${user}@${host}` : host;
-}
-function buildSshTarget(input) {
-	const host = input.host?.trim() ?? "";
-	if (!host) return null;
-	const user = input.user?.trim() ?? "";
-	const base = user ? `${user}@${host}` : host;
-	const port = input.port ?? 22;
-	if (port && port !== 22) return `${base}:${port}`;
-	return base;
-}
-async function resolveSshTarget(rawTarget, identity, overallTimeoutMs) {
-	const parsed = parseSshTarget(rawTarget);
-	if (!parsed) return null;
-	const config = await resolveSshConfig(parsed, {
-		identity: identity ?? void 0,
-		timeoutMs: Math.min(800, overallTimeoutMs)
-	});
-	if (!config) return {
-		target: rawTarget,
-		identity: identity ?? void 0
-	};
-	const target = buildSshTarget({
-		user: config.user ?? parsed.user,
-		host: config.host ?? parsed.host,
-		port: config.port ?? parsed.port
-	});
-	if (!target) return {
-		target: rawTarget,
-		identity: identity ?? void 0
-	};
-	return {
-		target,
-		identity: identity ?? config.identityFiles.find((entry) => entry.trim().length > 0)?.trim() ?? void 0
-	};
-}
-//#endregion
-//#region src/cli/gateway-cli/call.ts
-const gatewayCallOpts = (cmd) => cmd.option("--url <url>", "Gateway WebSocket URL (defaults to gateway.remote.url when configured)").option("--token <token>", "Gateway token (if required)").option("--password <password>", "Gateway password (password auth)").option("--timeout <ms>", "Timeout in ms", "10000").option("--expect-final", "Wait for final response (agent)", false).option("--json", "Output JSON", false);
-const callGatewayCli = async (method, opts, params) => withProgress({
-	label: `Gateway ${method}`,
-	indeterminate: true,
-	enabled: opts.json !== true
-}, async () => await callGateway({
-	url: opts.url,
-	token: opts.token,
-	password: opts.password,
-	method,
-	params,
-	expectFinal: Boolean(opts.expectFinal),
-	timeoutMs: Number(opts.timeout ?? 1e4),
-	clientName: GATEWAY_CLIENT_NAMES.CLI,
-	mode: GATEWAY_CLIENT_MODES.CLI
-}));
-//#endregion
-//#region src/cli/gateway-cli/discover.ts
-function parseDiscoverTimeoutMs(raw, fallbackMs) {
-	if (raw === void 0 || raw === null) return fallbackMs;
-	const value = typeof raw === "string" ? raw.trim() : typeof raw === "number" || typeof raw === "bigint" ? String(raw) : null;
-	if (value === null) throw new Error("invalid --timeout");
-	if (!value) return fallbackMs;
-	const parsed = Number.parseInt(value, 10);
-	if (!Number.isFinite(parsed) || parsed <= 0) throw new Error(`invalid --timeout: ${value}`);
-	return parsed;
-}
-function pickBeaconHost(beacon) {
-	const host = beacon.host || beacon.tailnetDns || beacon.lanHost;
-	return host?.trim() ? host.trim() : null;
-}
-function pickGatewayPort(beacon) {
-	const port = beacon.port ?? beacon.gatewayPort ?? 18789;
-	return port > 0 ? port : 18789;
-}
-function dedupeBeacons(beacons) {
-	const out = [];
-	const seen = /* @__PURE__ */ new Set();
-	for (const b of beacons) {
-		const host = pickBeaconHost(b) ?? "";
-		const key = [
-			b.domain ?? "",
-			b.instanceName ?? "",
-			b.displayName ?? "",
-			host,
-			String(b.port ?? ""),
-			String(b.gatewayPort ?? "")
-		].join("|");
-		if (seen.has(key)) continue;
-		seen.add(key);
-		out.push(b);
-	}
-	return out;
-}
-function renderBeaconLines(beacon, rich) {
-	const nameRaw = (beacon.displayName || beacon.instanceName || "Gateway").trim();
-	const domainRaw = (beacon.domain || "local.").trim();
-	const title = colorize(rich, theme.accentBright, nameRaw);
-	const domain = colorize(rich, theme.muted, domainRaw);
-	const host = pickBeaconHost(beacon);
-	const gatewayPort = pickGatewayPort(beacon);
-	const scheme = beacon.gatewayTls ? "wss" : "ws";
-	const wsUrl = host ? `${scheme}://${host}:${gatewayPort}` : null;
-	const lines = [`- ${title} ${domain}`];
-	if (beacon.tailnetDns) lines.push(`  ${colorize(rich, theme.info, "tailnet")}: ${beacon.tailnetDns}`);
-	if (beacon.lanHost) lines.push(`  ${colorize(rich, theme.info, "lan")}: ${beacon.lanHost}`);
-	if (beacon.host) lines.push(`  ${colorize(rich, theme.info, "host")}: ${beacon.host}`);
-	if (wsUrl) lines.push(`  ${colorize(rich, theme.muted, "ws")}: ${colorize(rich, theme.command, wsUrl)}`);
-	if (beacon.role) lines.push(`  ${colorize(rich, theme.muted, "role")}: ${beacon.role}`);
-	if (beacon.transport) lines.push(`  ${colorize(rich, theme.muted, "transport")}: ${beacon.transport}`);
-	if (beacon.gatewayTls) {
-		const fingerprint = beacon.gatewayTlsFingerprintSha256 ? `sha256 ${beacon.gatewayTlsFingerprintSha256}` : "enabled";
-		lines.push(`  ${colorize(rich, theme.muted, "tls")}: ${fingerprint}`);
-	}
-	if (typeof beacon.sshPort === "number" && beacon.sshPort > 0 && host) {
-		const ssh = `ssh -N -L 18789:127.0.0.1:18789 <user>@${host} -p ${beacon.sshPort}`;
-		lines.push(`  ${colorize(rich, theme.muted, "ssh")}: ${colorize(rich, theme.command, ssh)}`);
-	}
-	return lines;
-}
-//#endregion
 //#region src/gateway/server/close-reason.ts
 const CLOSE_REASON_MAX_BYTES = 120;
 function truncateCloseReason(reason, maxBytes = CLOSE_REASON_MAX_BYTES) {
@@ -14371,7 +13507,7 @@ const nodeHandlers = {
 		const p = params;
 		const payloadJSON = typeof p.payloadJSON === "string" ? p.payloadJSON : p.payload !== void 0 ? JSON.stringify(p.payload) : null;
 		await respondUnavailableOnThrow(respond, async () => {
-			const { handleNodeEvent } = await import("./server-node-events-C876mSJD.js");
+			const { handleNodeEvent } = await import("./server-node-events-Ck1bPPa5.js");
 			const nodeId = client?.connect?.device?.id ?? client?.connect?.client?.id ?? "node";
 			await handleNodeEvent({
 				deps: context.deps,
@@ -15958,7 +15094,7 @@ const usageHandlers = {
 		const resolved = resolveSessionUsageFileOrRespond(key, respond);
 		if (!resolved) return;
 		const { config, entry, agentId, sessionId, sessionFile } = resolved;
-		const { loadSessionLogs } = await import("./session-cost-usage-BKD6u4HD.js").then((n) => n.a);
+		const { loadSessionLogs } = await import("./session-cost-usage-CBHvFXhD.js").then((n) => n.a);
 		respond(true, { logs: await loadSessionLogs({
 			sessionId,
 			sessionEntry: entry,
@@ -16687,6 +15823,9 @@ function hasConnectedMobileNode(registry) {
 //#endregion
 //#region src/gateway/server-model-catalog.ts
+function __resetModelCatalogCacheForTest() {
+	resetModelCatalogCacheForTest();
+}
 async function loadGatewayModelCatalog() {
 	return await loadModelCatalog({ config: loadConfig() });
 }
@@ -17510,7 +16649,7 @@ function normalizeAgentPayload(payload) {
 async function startBrowserControlServerIfEnabled() {
 	if (isTruthyEnvValue(process.env.OPENCLAW_SKIP_BROWSER_CONTROL_SERVER)) return null;
 	const override = process.env.OPENCLAW_BROWSER_CONTROL_MODULE?.trim();
-	const mod = override ? await import(override) : await import("./server-BM8Bplbe.js");
+	const mod = override ? await import(override) : await import("./server-DfSS2w17.js");
 	const start = typeof mod.startBrowserControlServiceFromConfig === "function" ? mod.startBrowserControlServiceFromConfig : mod.startBrowserControlServerFromConfig;
 	const stop = typeof mod.stopBrowserControlService === "function" ? mod.stopBrowserControlService : mod.stopBrowserControlServer;
 	if (!start) return null;
@@ -20842,9 +19981,9 @@ function createHooksRequestHandler(opts) {
 }
 function createGatewayHttpServer(opts) {
 	const { canvasHost, clients, controlUiEnabled, controlUiBasePath, controlUiRoot, openAiChatCompletionsEnabled, openAiChatCompletionsConfig, openResponsesEnabled, openResponsesConfig, strictTransportSecurityHeader, handleHooksRequest, handlePluginRequest, shouldEnforcePluginGatewayAuth, resolvedAuth, rateLimiter } = opts;
-	const httpServer = opts.tlsOptions ? createServer$2(opts.tlsOptions, (req, res) => {
+	const httpServer = opts.tlsOptions ? createServer$1(opts.tlsOptions, (req, res) => {
 		handleRequest(req, res);
-	}) : createServer$1((req, res) => {
+	}) : createServer((req, res) => {
 		handleRequest(req, res);
 	});
 	async function handleRequest(req, res) {
@@ -21104,189 +20243,6 @@ function createGatewayHooksRequestHandler(params) {
 	});
 }
-//#endregion
-//#region src/infra/gateway-lock.ts
-const DEFAULT_TIMEOUT_MS = 5e3;
-const DEFAULT_POLL_INTERVAL_MS = 100;
-const DEFAULT_STALE_MS = 3e4;
-const DEFAULT_PORT_PROBE_TIMEOUT_MS = 1e3;
-var GatewayLockError = class extends Error {
-	constructor(message, cause) {
-		super(message);
-		this.cause = cause;
-		this.name = "GatewayLockError";
-	}
-};
-function normalizeProcArg(arg) {
-	return arg.replaceAll("\\", "/").toLowerCase();
-}
-function parseProcCmdline(raw) {
-	return raw.split("\0").map((entry) => entry.trim()).filter(Boolean);
-}
-function isGatewayArgv(args) {
-	const normalized = args.map(normalizeProcArg);
-	if (!normalized.includes("gateway")) return false;
-	const entryCandidates = [
-		"dist/index.js",
-		"dist/entry.js",
-		"openclaw.mjs",
-		"scripts/run-node.mjs",
-		"src/index.ts"
-	];
-	if (normalized.some((arg) => entryCandidates.some((entry) => arg.endsWith(entry)))) return true;
-	const exe = normalized[0] ?? "";
-	return exe.endsWith("/openclaw") || exe === "openclaw";
-}
-function readLinuxCmdline(pid) {
-	try {
-		return parseProcCmdline(fs.readFileSync(`/proc/${pid}/cmdline`, "utf8"));
-	} catch {
-		return null;
-	}
-}
-function readLinuxStartTime(pid) {
-	try {
-		const raw = fs.readFileSync(`/proc/${pid}/stat`, "utf8").trim();
-		const closeParen = raw.lastIndexOf(")");
-		if (closeParen < 0) return null;
-		const fields = raw.slice(closeParen + 1).trim().split(/\s+/);
-		const startTime = Number.parseInt(fields[19] ?? "", 10);
-		return Number.isFinite(startTime) ? startTime : null;
-	} catch {
-		return null;
-	}
-}
-async function checkPortFree(port, host = "127.0.0.1") {
-	return await new Promise((resolve) => {
-		const socket = net.createConnection({
-			port,
-			host
-		});
-		let settled = false;
-		const finish = (result) => {
-			if (settled) return;
-			settled = true;
-			clearTimeout(timer);
-			socket.removeAllListeners();
-			socket.destroy();
-			resolve(result);
-		};
-		const timer = setTimeout(() => {
-			finish(true);
-		}, DEFAULT_PORT_PROBE_TIMEOUT_MS);
-		socket.once("connect", () => {
-			finish(false);
-		});
-		socket.once("error", () => {
-			finish(true);
-		});
-	});
-}
-async function resolveGatewayOwnerStatus(pid, payload, platform, port) {
-	if (port != null) {
-		if (await checkPortFree(port)) return "dead";
-	}
-	if (!isPidAlive(pid)) return "dead";
-	if (platform !== "linux") return "alive";
-	const payloadStartTime = payload?.startTime;
-	if (Number.isFinite(payloadStartTime)) {
-		const currentStartTime = readLinuxStartTime(pid);
-		if (currentStartTime == null) return "unknown";
-		return currentStartTime === payloadStartTime ? "alive" : "dead";
-	}
-	const args = readLinuxCmdline(pid);
-	if (!args) return "unknown";
-	return isGatewayArgv(args) ? "alive" : "dead";
-}
-async function readLockPayload(lockPath) {
-	try {
-		const raw = await fs$1.readFile(lockPath, "utf8");
-		const parsed = JSON.parse(raw);
-		if (typeof parsed.pid !== "number") return null;
-		if (typeof parsed.createdAt !== "string") return null;
-		if (typeof parsed.configPath !== "string") return null;
-		const startTime = typeof parsed.startTime === "number" ? parsed.startTime : void 0;
-		return {
-			pid: parsed.pid,
-			createdAt: parsed.createdAt,
-			configPath: parsed.configPath,
-			startTime
-		};
-	} catch {
-		return null;
-	}
-}
-function resolveGatewayLockPath(env) {
-	const configPath = resolveConfigPath(env, resolveStateDir(env));
-	const hash = createHash("sha256").update(configPath).digest("hex").slice(0, 8);
-	const lockDir = resolveGatewayLockDir();
-	return {
-		lockPath: path.join(lockDir, `gateway.${hash}.lock`),
-		configPath
-	};
-}
-async function acquireGatewayLock(opts = {}) {
-	const env = opts.env ?? process.env;
-	const allowInTests = opts.allowInTests === true;
-	if (env.OPENCLAW_ALLOW_MULTI_GATEWAY === "1" || !allowInTests && (env.VITEST || env.NODE_ENV === "test")) return null;
-	const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
-	const pollIntervalMs = opts.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
-	const staleMs = opts.staleMs ?? DEFAULT_STALE_MS;
-	const platform = opts.platform ?? process.platform;
-	const port = opts.port;
-	const { lockPath, configPath } = resolveGatewayLockPath(env);
-	await fs$1.mkdir(path.dirname(lockPath), { recursive: true });
-	const startedAt = Date.now();
-	let lastPayload = null;
-	while (Date.now() - startedAt < timeoutMs) try {
-		const handle = await fs$1.open(lockPath, "wx");
-		const startTime = platform === "linux" ? readLinuxStartTime(process.pid) : null;
-		const payload = {
-			pid: process.pid,
-			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-			configPath
-		};
-		if (typeof startTime === "number" && Number.isFinite(startTime)) payload.startTime = startTime;
-		await handle.writeFile(JSON.stringify(payload), "utf8");
-		return {
-			lockPath,
-			configPath,
-			release: async () => {
-				await handle.close().catch(() => void 0);
-				await fs$1.rm(lockPath, { force: true });
-			}
-		};
-	} catch (err) {
-		if (err.code !== "EEXIST") throw new GatewayLockError(`failed to acquire gateway lock at ${lockPath}`, err);
-		lastPayload = await readLockPayload(lockPath);
-		const ownerPid = lastPayload?.pid;
-		const ownerStatus = ownerPid ? await resolveGatewayOwnerStatus(ownerPid, lastPayload, platform, port) : "unknown";
-		if (ownerStatus === "dead" && ownerPid) {
-			await fs$1.rm(lockPath, { force: true });
-			continue;
-		}
-		if (ownerStatus !== "alive") {
-			let stale = false;
-			if (lastPayload?.createdAt) {
-				const createdAt = Date.parse(lastPayload.createdAt);
-				stale = Number.isFinite(createdAt) ? Date.now() - createdAt > staleMs : false;
-			}
-			if (!stale) try {
-				const st = await fs$1.stat(lockPath);
-				stale = Date.now() - st.mtimeMs > staleMs;
-			} catch {
-				stale = false;
-			}
-			if (stale) {
-				await fs$1.rm(lockPath, { force: true });
-				continue;
-			}
-		}
-		await new Promise((r) => setTimeout(r, pollIntervalMs));
-	}
-	throw new GatewayLockError(`gateway already running${lastPayload?.pid ? ` (pid ${lastPayload.pid})` : ""}; lock timeout after ${timeoutMs}ms`);
-}
 //#endregion
 //#region src/gateway/server/http-listen.ts
 const EADDRINUSE_MAX_RETRIES = 4;
@@ -23645,8 +22601,8 @@ async function startGatewayServer(port = 18789, opts = {}) {
 	});
 	if (!minimalTestGateway) cron.start().catch((err) => logCron.error(`failed to start: ${String(err)}`));
 	if (!minimalTestGateway) (async () => {
-		const { recoverPendingDeliveries } = await import("./delivery-queue-DgdE_Ifa.js").then((n) => n.n);
-		const { deliverOutboundPayloads } = await import("./deliver-DPkEY6xb.js").then((n) => n.n);
+		const { recoverPendingDeliveries } = await import("./delivery-queue-BVKd_xSI.js").then((n) => n.n);
+		const { deliverOutboundPayloads } = await import("./deliver-Bge0HwrF.js").then((n) => n.n);
 		await recoverPendingDeliveries({
 			deliver: deliverOutboundPayloads,
 			log: log.child("delivery-recovery"),
@@ -23905,681 +22861,12 @@ async function startGatewayServer(port = 18789, opts = {}) {
 }
 //#endregion
-//#region src/cli/gateway-cli/dev.ts
-const DEV_IDENTITY_NAME = "C3-PO";
-const DEV_IDENTITY_THEME = "protocol droid";
-const DEV_IDENTITY_EMOJI = "🤖";
-const DEV_AGENT_WORKSPACE_SUFFIX = "dev";
-async function loadDevTemplate(name, fallback) {
-	try {
-		const templateDir = await resolveWorkspaceTemplateDir();
-		const raw = await fs.promises.readFile(path.join(templateDir, name), "utf-8");
-		if (!raw.startsWith("---")) return raw;
-		const endIndex = raw.indexOf("\n---", 3);
-		if (endIndex === -1) return raw;
-		return raw.slice(endIndex + 4).replace(/^\s+/, "");
-	} catch {
-		return fallback;
-	}
-}
-const resolveDevWorkspaceDir = (env = process.env) => {
-	const baseDir = resolveDefaultAgentWorkspaceDir(env, os.homedir);
-	if (env.OPENCLAW_PROFILE?.trim().toLowerCase() === "dev") return baseDir;
-	return `${baseDir}-${DEV_AGENT_WORKSPACE_SUFFIX}`;
-};
-async function writeFileIfMissing(filePath, content) {
-	try {
-		await fs.promises.writeFile(filePath, content, {
-			encoding: "utf-8",
-			flag: "wx"
-		});
-	} catch (err) {
-		if (err.code !== "EEXIST") throw err;
-	}
-}
-async function ensureDevWorkspace(dir) {
-	const resolvedDir = resolveUserPath(dir);
-	await fs.promises.mkdir(resolvedDir, { recursive: true });
-	const [agents, soul, tools, identity, user] = await Promise.all([
-		loadDevTemplate("AGENTS.dev.md", `# AGENTS.md - OpenClaw Dev Workspace\n\nDefault dev workspace for openclaw gateway --dev.\n`),
-		loadDevTemplate("SOUL.dev.md", `# SOUL.md - Dev Persona\n\nProtocol droid for debugging and operations.\n`),
-		loadDevTemplate("TOOLS.dev.md", `# TOOLS.md - User Tool Notes (editable)\n\nAdd your local tool notes here.\n`),
-		loadDevTemplate("IDENTITY.dev.md", `# IDENTITY.md - Agent Identity\n\n- Name: ${DEV_IDENTITY_NAME}\n- Creature: protocol droid\n- Vibe: ${DEV_IDENTITY_THEME}\n- Emoji: ${DEV_IDENTITY_EMOJI}\n`),
-		loadDevTemplate("USER.dev.md", `# USER.md - User Profile\n\n- Name:\n- Preferred address:\n- Notes:\n`)
-	]);
-	await writeFileIfMissing(path.join(resolvedDir, "AGENTS.md"), agents);
-	await writeFileIfMissing(path.join(resolvedDir, "SOUL.md"), soul);
-	await writeFileIfMissing(path.join(resolvedDir, "TOOLS.md"), tools);
-	await writeFileIfMissing(path.join(resolvedDir, "IDENTITY.md"), identity);
-	await writeFileIfMissing(path.join(resolvedDir, "USER.md"), user);
-}
-async function ensureDevGatewayConfig(opts) {
-	const workspace = resolveDevWorkspaceDir();
-	if (opts.reset) await handleReset("full", workspace, defaultRuntime);
-	const configPath = createConfigIO().configPath;
-	const configExists = fs.existsSync(configPath);
-	if (!opts.reset && configExists) return;
-	await writeConfigFile({
-		gateway: {
-			mode: "local",
-			bind: "loopback"
-		},
-		agents: {
-			defaults: {
-				workspace,
-				skipBootstrap: true
-			},
-			list: [{
-				id: "dev",
-				default: true,
-				workspace,
-				identity: {
-					name: DEV_IDENTITY_NAME,
-					theme: DEV_IDENTITY_THEME,
-					emoji: DEV_IDENTITY_EMOJI
-				}
-			}]
-		}
-	});
-	await ensureDevWorkspace(workspace);
-	defaultRuntime.log(`Dev config ready: ${shortenHomePath(configPath)}`);
-	defaultRuntime.log(`Dev workspace ready: ${shortenHomePath(resolveUserPath(workspace))}`);
-}
-//#endregion
-//#region src/infra/supervisor-markers.ts
-const SUPERVISOR_HINT_ENV_VARS = [
-	"LAUNCH_JOB_LABEL",
-	"LAUNCH_JOB_NAME",
-	"OPENCLAW_LAUNCHD_LABEL",
-	"OPENCLAW_SYSTEMD_UNIT",
-	"OPENCLAW_SERVICE_MARKER",
-	"INVOCATION_ID",
-	"SYSTEMD_EXEC_PID",
-	"JOURNAL_STREAM"
-];
-function hasSupervisorHint(env = process.env) {
-	return SUPERVISOR_HINT_ENV_VARS.some((key) => {
-		const value = env[key];
-		return typeof value === "string" && value.trim().length > 0;
-	});
-}
-//#endregion
-//#region src/infra/process-respawn.ts
-function isTruthy(value) {
-	if (!value) return false;
-	const normalized = value.trim().toLowerCase();
-	return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
-}
-function isLikelySupervisedProcess(env = process.env) {
-	return hasSupervisorHint(env);
-}
-/**
-* Attempt to restart this process with a fresh PID.
-* - supervised environments (launchd/systemd): caller should exit and let supervisor restart
-* - OPENCLAW_NO_RESPAWN=1: caller should keep in-process restart behavior (tests/dev)
-* - otherwise: spawn detached child with current argv/execArgv, then caller exits
-*/
-function restartGatewayProcessWithFreshPid() {
-	if (isTruthy(process.env.OPENCLAW_NO_RESPAWN)) return { mode: "disabled" };
-	if (isLikelySupervisedProcess(process.env)) {
-		if (process.platform === "darwin" && process.env.OPENCLAW_LAUNCHD_LABEL?.trim()) {
-			const restart = triggerOpenClawRestart();
-			if (!restart.ok) return {
-				mode: "failed",
-				detail: restart.detail ?? "launchctl kickstart failed"
-			};
-		}
-		return { mode: "supervised" };
-	}
-	try {
-		const args = [...process.execArgv, ...process.argv.slice(1)];
-		const child = spawn(process.execPath, args, {
-			env: process.env,
-			detached: true,
-			stdio: "inherit"
-		});
-		child.unref();
-		return {
-			mode: "spawned",
-			pid: child.pid ?? void 0
-		};
-	} catch (err) {
-		return {
-			mode: "failed",
-			detail: err instanceof Error ? err.message : String(err)
-		};
-	}
-}
-//#endregion
-//#region src/process/restart-recovery.ts
-/**
-* Returns an iteration hook for in-process restart loops.
-* The first call is considered initial startup and does nothing.
-* Each subsequent call represents a restart iteration and invokes `onRestart`.
-*/
-function createRestartIterationHook(onRestart) {
-	let isFirstIteration = true;
-	return () => {
-		if (isFirstIteration) {
-			isFirstIteration = false;
-			return false;
-		}
-		onRestart();
-		return true;
-	};
-}
-//#endregion
-//#region src/cli/gateway-cli/run-loop.ts
-const gatewayLog$1 = createSubsystemLogger("gateway");
-async function runGatewayLoop(params) {
-	let lock = await acquireGatewayLock({ port: params.lockPort });
-	let server = null;
-	let shuttingDown = false;
-	let restartResolver = null;
-	const cleanupSignals = () => {
-		process.removeListener("SIGTERM", onSigterm);
-		process.removeListener("SIGINT", onSigint);
-		process.removeListener("SIGUSR1", onSigusr1);
-	};
-	const exitProcess = (code) => {
-		cleanupSignals();
-		params.runtime.exit(code);
-	};
-	const releaseLockIfHeld = async () => {
-		if (!lock) return false;
-		await lock.release();
-		lock = null;
-		return true;
-	};
-	const reacquireLockForInProcessRestart = async () => {
-		try {
-			lock = await acquireGatewayLock({ port: params.lockPort });
-			return true;
-		} catch (err) {
-			gatewayLog$1.error(`failed to reacquire gateway lock for in-process restart: ${String(err)}`);
-			exitProcess(1);
-			return false;
-		}
-	};
-	const handleRestartAfterServerClose = async () => {
-		const hadLock = await releaseLockIfHeld();
-		const respawn = restartGatewayProcessWithFreshPid();
-		if (respawn.mode === "spawned" || respawn.mode === "supervised") {
-			const modeLabel = respawn.mode === "spawned" ? `spawned pid ${respawn.pid ?? "unknown"}` : "supervisor restart";
-			gatewayLog$1.info(`restart mode: full process restart (${modeLabel})`);
-			exitProcess(0);
-			return;
-		}
-		if (respawn.mode === "failed") gatewayLog$1.warn(`full process restart failed (${respawn.detail ?? "unknown error"}); falling back to in-process restart`);
-		else gatewayLog$1.info("restart mode: in-process restart (OPENCLAW_NO_RESPAWN)");
-		if (hadLock && !await reacquireLockForInProcessRestart()) return;
-		shuttingDown = false;
-		restartResolver?.();
-	};
-	const handleStopAfterServerClose = async () => {
-		await releaseLockIfHeld();
-		exitProcess(0);
-	};
-	const DRAIN_TIMEOUT_MS = 3e4;
-	const SHUTDOWN_TIMEOUT_MS = 5e3;
-	const request = (action, signal) => {
-		if (shuttingDown) {
-			gatewayLog$1.info(`received ${signal} during shutdown; ignoring`);
-			return;
-		}
-		shuttingDown = true;
-		const isRestart = action === "restart";
-		gatewayLog$1.info(`received ${signal}; ${isRestart ? "restarting" : "shutting down"}`);
-		const forceExitMs = isRestart ? DRAIN_TIMEOUT_MS + SHUTDOWN_TIMEOUT_MS : SHUTDOWN_TIMEOUT_MS;
-		const forceExitTimer = setTimeout(() => {
-			gatewayLog$1.error("shutdown timed out; exiting without full cleanup");
-			exitProcess(0);
-		}, forceExitMs);
-		(async () => {
-			try {
-				if (isRestart) {
-					markGatewayDraining();
-					const activeTasks = getActiveTaskCount();
-					if (activeTasks > 0) {
-						gatewayLog$1.info(`draining ${activeTasks} active task(s) before restart (timeout ${DRAIN_TIMEOUT_MS}ms)`);
-						const { drained } = await waitForActiveTasks(DRAIN_TIMEOUT_MS);
-						if (drained) gatewayLog$1.info("all active tasks drained");
-						else gatewayLog$1.warn("drain timeout reached; proceeding with restart");
-					}
-				}
-				await server?.close({
-					reason: isRestart ? "gateway restarting" : "gateway stopping",
-					restartExpectedMs: isRestart ? 1500 : null
-				});
-			} catch (err) {
-				gatewayLog$1.error(`shutdown error: ${String(err)}`);
-			} finally {
-				clearTimeout(forceExitTimer);
-				server = null;
-				if (isRestart) await handleRestartAfterServerClose();
-				else await handleStopAfterServerClose();
-			}
-		})();
-	};
-	const onSigterm = () => {
-		gatewayLog$1.info("signal SIGTERM received");
-		request("stop", "SIGTERM");
-	};
-	const onSigint = () => {
-		gatewayLog$1.info("signal SIGINT received");
-		request("stop", "SIGINT");
-	};
-	const onSigusr1 = () => {
-		gatewayLog$1.info("signal SIGUSR1 received");
-		if (!consumeGatewaySigusr1RestartAuthorization() && !isGatewaySigusr1RestartExternallyAllowed()) {
-			gatewayLog$1.warn("SIGUSR1 restart ignored (not authorized; commands.restart=false or use gateway tool).");
-			return;
-		}
-		markGatewaySigusr1RestartHandled();
-		request("restart", "SIGUSR1");
-	};
-	process.on("SIGTERM", onSigterm);
-	process.on("SIGINT", onSigint);
-	process.on("SIGUSR1", onSigusr1);
-	try {
-		const onIteration = createRestartIterationHook(() => {
-			resetAllLanes();
-		});
-		while (true) {
-			onIteration();
-			server = await params.start();
-			await new Promise((resolve) => {
-				restartResolver = resolve;
-			});
-		}
-	} finally {
-		await releaseLockIfHeld();
-		cleanupSignals();
-	}
-}
-//#endregion
-//#region src/cli/gateway-cli/run.ts
-const gatewayLog = createSubsystemLogger("gateway");
-const GATEWAY_RUN_VALUE_KEYS = [
-	"port",
-	"bind",
-	"token",
-	"auth",
-	"password",
-	"tailscale",
-	"wsLog",
-	"rawStreamPath"
-];
-const GATEWAY_RUN_BOOLEAN_KEYS = [
-	"tailscaleResetOnExit",
-	"allowUnconfigured",
-	"dev",
-	"reset",
-	"force",
-	"verbose",
-	"claudeCliLogs",
-	"compact",
-	"rawStream"
-];
-const GATEWAY_AUTH_MODES = [
-	"none",
-	"token",
-	"password",
-	"trusted-proxy"
-];
-const GATEWAY_TAILSCALE_MODES = [
-	"off",
-	"serve",
-	"funnel"
-];
-function parseEnumOption(raw, allowed) {
-	if (!raw) return null;
-	return allowed.includes(raw) ? raw : null;
-}
-function formatModeChoices(modes) {
-	return modes.map((mode) => `"${mode}"`).join("|");
-}
-function formatModeErrorList(modes) {
-	const quoted = modes.map((mode) => `"${mode}"`);
-	if (quoted.length === 0) return "";
-	if (quoted.length === 1) return quoted[0];
-	if (quoted.length === 2) return `${quoted[0]} or ${quoted[1]}`;
-	return `${quoted.slice(0, -1).join(", ")}, or ${quoted[quoted.length - 1]}`;
-}
-function resolveGatewayRunOptions(opts, command) {
-	const resolved = { ...opts };
-	for (const key of GATEWAY_RUN_VALUE_KEYS) {
-		const inherited = inheritOptionFromParent(command, key);
-		if (key === "wsLog") {
-			resolved[key] = inherited ?? resolved[key];
-			continue;
-		}
-		resolved[key] = resolved[key] ?? inherited;
-	}
-	for (const key of GATEWAY_RUN_BOOLEAN_KEYS) {
-		const inherited = inheritOptionFromParent(command, key);
-		resolved[key] = Boolean(resolved[key] || inherited);
-	}
-	return resolved;
-}
-async function runGatewayCommand$1(opts) {
-	const isDevProfile = process.env.OPENCLAW_PROFILE?.trim().toLowerCase() === "dev";
-	const devMode = Boolean(opts.dev) || isDevProfile;
-	if (opts.reset && !devMode) {
-		defaultRuntime.error("Use --reset with --dev.");
-		defaultRuntime.exit(1);
-		return;
-	}
-	setConsoleTimestampPrefix(true);
-	setVerbose(Boolean(opts.verbose));
-	if (opts.claudeCliLogs) {
-		setConsoleSubsystemFilter(["agent/claude-cli"]);
-		process.env.OPENCLAW_CLAUDE_CLI_LOG_OUTPUT = "1";
-	}
-	const wsLogRaw = opts.compact ? "compact" : opts.wsLog;
-	const wsLogStyle = wsLogRaw === "compact" ? "compact" : wsLogRaw === "full" ? "full" : "auto";
-	if (wsLogRaw !== void 0 && wsLogRaw !== "auto" && wsLogRaw !== "compact" && wsLogRaw !== "full") {
-		defaultRuntime.error("Invalid --ws-log (use \"auto\", \"full\", \"compact\")");
-		defaultRuntime.exit(1);
-	}
-	setGatewayWsLogStyle(wsLogStyle);
-	if (opts.rawStream) process.env.OPENCLAW_RAW_STREAM = "1";
-	const rawStreamPath = toOptionString(opts.rawStreamPath);
-	if (rawStreamPath) process.env.OPENCLAW_RAW_STREAM_PATH = rawStreamPath;
-	if (devMode) await ensureDevGatewayConfig({ reset: Boolean(opts.reset) });
-	const cfg = loadConfig();
-	const portOverride = parsePort$1(opts.port);
-	if (opts.port !== void 0 && portOverride === null) {
-		defaultRuntime.error("Invalid port");
-		defaultRuntime.exit(1);
-	}
-	const port = portOverride ?? resolveGatewayPort(cfg);
-	if (!Number.isFinite(port) || port <= 0) {
-		defaultRuntime.error("Invalid port");
-		defaultRuntime.exit(1);
-	}
-	const bindRaw = toOptionString(opts.bind) ?? cfg.gateway?.bind ?? "loopback";
-	const bind = bindRaw === "loopback" || bindRaw === "lan" || bindRaw === "auto" || bindRaw === "custom" || bindRaw === "tailnet" ? bindRaw : null;
-	if (!bind) {
-		defaultRuntime.error("Invalid --bind (use \"loopback\", \"lan\", \"tailnet\", \"auto\", or \"custom\")");
-		defaultRuntime.exit(1);
-		return;
-	}
-	if (opts.force) try {
-		const { killed, waitedMs, escalatedToSigkill } = await forceFreePortAndWait(port, {
-			timeoutMs: 2e3,
-			intervalMs: 100,
-			sigtermTimeoutMs: 700
-		});
-		if (killed.length === 0) gatewayLog.info(`force: no listeners on port ${port}`);
-		else {
-			for (const proc of killed) gatewayLog.info(`force: killed pid ${proc.pid}${proc.command ? ` (${proc.command})` : ""} on port ${port}`);
-			if (escalatedToSigkill) gatewayLog.info(`force: escalated to SIGKILL while freeing port ${port}`);
-			if (waitedMs > 0) gatewayLog.info(`force: waited ${waitedMs}ms for port ${port} to free`);
-		}
-		const bindWaitMs = await waitForPortBindable(port, {
-			timeoutMs: 3e3,
-			intervalMs: 150,
-			host: bind === "loopback" ? "127.0.0.1" : bind === "lan" ? "0.0.0.0" : bind === "custom" ? toOptionString(cfg.gateway?.customBindHost) : void 0
-		});
-		if (bindWaitMs > 0) gatewayLog.info(`force: waited ${bindWaitMs}ms for port ${port} to become bindable`);
-	} catch (err) {
-		defaultRuntime.error(`Force: ${String(err)}`);
-		defaultRuntime.exit(1);
-		return;
-	}
-	if (opts.token) {
-		const token = toOptionString(opts.token);
-		if (token) process.env.OPENCLAW_GATEWAY_TOKEN = token;
-	}
-	const authModeRaw = toOptionString(opts.auth);
-	const authMode = parseEnumOption(authModeRaw, GATEWAY_AUTH_MODES);
-	if (authModeRaw && !authMode) {
-		defaultRuntime.error(`Invalid --auth (use ${formatModeErrorList(GATEWAY_AUTH_MODES)})`);
-		defaultRuntime.exit(1);
-		return;
-	}
-	const tailscaleRaw = toOptionString(opts.tailscale);
-	const tailscaleMode = parseEnumOption(tailscaleRaw, GATEWAY_TAILSCALE_MODES);
-	if (tailscaleRaw && !tailscaleMode) {
-		defaultRuntime.error(`Invalid --tailscale (use ${formatModeErrorList(GATEWAY_TAILSCALE_MODES)})`);
-		defaultRuntime.exit(1);
-		return;
-	}
-	const passwordRaw = toOptionString(opts.password);
-	const tokenRaw = toOptionString(opts.token);
-	const snapshot = await readConfigFileSnapshot().catch(() => null);
-	const configExists = snapshot?.exists ?? fs.existsSync(CONFIG_PATH);
-	const configAuditPath = path.join(resolveStateDir(process.env), "logs", "config-audit.jsonl");
-	const mode = cfg.gateway?.mode;
-	if (!opts.allowUnconfigured && mode !== "local") {
-		if (!configExists) defaultRuntime.error(`Missing config. Run \`${formatCliCommand("openclaw setup")}\` or set gateway.mode=local (or pass --allow-unconfigured).`);
-		else {
-			defaultRuntime.error(`Gateway start blocked: set gateway.mode=local (current: ${mode ?? "unset"}) or pass --allow-unconfigured.`);
-			defaultRuntime.error(`Config write audit: ${configAuditPath}`);
-		}
-		defaultRuntime.exit(1);
-		return;
-	}
-	const miskeys = extractGatewayMiskeys(snapshot?.parsed);
-	const authOverride = authMode || passwordRaw || tokenRaw || authModeRaw ? {
-		...authMode ? { mode: authMode } : {},
-		...tokenRaw ? { token: tokenRaw } : {},
-		...passwordRaw ? { password: passwordRaw } : {}
-	} : void 0;
-	const resolvedAuth = resolveGatewayAuth({
-		authConfig: cfg.gateway?.auth,
-		authOverride,
-		env: process.env,
-		tailscaleMode: tailscaleMode ?? cfg.gateway?.tailscale?.mode ?? "off"
-	});
-	const resolvedAuthMode = resolvedAuth.mode;
-	const tokenValue = resolvedAuth.token;
-	const passwordValue = resolvedAuth.password;
-	const hasToken = typeof tokenValue === "string" && tokenValue.trim().length > 0;
-	const hasPassword = typeof passwordValue === "string" && passwordValue.trim().length > 0;
-	const tokenConfigured = hasToken || hasConfiguredSecretInput(authOverride?.token ?? cfg.gateway?.auth?.token, cfg.secrets?.defaults);
-	const passwordConfigured = hasPassword || hasConfiguredSecretInput(authOverride?.password ?? cfg.gateway?.auth?.password, cfg.secrets?.defaults);
-	const hasSharedSecret = resolvedAuthMode === "token" && tokenConfigured || resolvedAuthMode === "password" && passwordConfigured;
-	const canBootstrapToken = resolvedAuthMode === "token" && !tokenConfigured;
-	const authHints = [];
-	if (miskeys.hasGatewayToken) authHints.push("Found \"gateway.token\" in config. Use \"gateway.auth.token\" instead.");
-	if (miskeys.hasRemoteToken) authHints.push("\"gateway.remote.token\" is for remote CLI calls; it does not enable local gateway auth.");
-	if (resolvedAuthMode === "password" && !passwordConfigured) {
-		defaultRuntime.error([
-			"Gateway auth is set to password, but no password is configured.",
-			"Set gateway.auth.password (or OPENCLAW_GATEWAY_PASSWORD), or pass --password.",
-			...authHints
-		].filter(Boolean).join("\n"));
-		defaultRuntime.exit(1);
-		return;
-	}
-	if (resolvedAuthMode === "none") gatewayLog.warn("Gateway auth mode=none explicitly configured; all gateway connections are unauthenticated.");
-	if (bind !== "loopback" && !hasSharedSecret && !canBootstrapToken && resolvedAuthMode !== "trusted-proxy" && resolvedAuthMode !== "iam") {
-		defaultRuntime.error([
-			`Refusing to bind gateway to ${bind} without auth.`,
-			"Set gateway.auth.token/password (or OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD) or pass --token/--password.",
-			...authHints
-		].filter(Boolean).join("\n"));
-		defaultRuntime.exit(1);
-		return;
-	}
-	const tailscaleOverride = tailscaleMode || opts.tailscaleResetOnExit ? {
-		...tailscaleMode ? { mode: tailscaleMode } : {},
-		...opts.tailscaleResetOnExit ? { resetOnExit: true } : {}
-	} : void 0;
-	try {
-		await runGatewayLoop({
-			runtime: defaultRuntime,
-			lockPort: port,
-			start: async () => await startGatewayServer(port, {
-				bind,
-				auth: authOverride,
-				tailscale: tailscaleOverride
-			})
-		});
-	} catch (err) {
-		if (err instanceof GatewayLockError || err && typeof err === "object" && err.name === "GatewayLockError") {
-			const errMessage = describeUnknownError(err);
-			defaultRuntime.error(`Gateway failed to start: ${errMessage}\nIf the gateway is supervised, stop it with: ${formatCliCommand("openclaw gateway stop")}`);
-			try {
-				const diagnostics = await inspectPortUsage(port);
-				if (diagnostics.status === "busy") for (const line of formatPortDiagnostics(diagnostics)) defaultRuntime.error(line);
-			} catch {}
-			await maybeExplainGatewayServiceStop();
-			defaultRuntime.exit(1);
-			return;
-		}
-		defaultRuntime.error(`Gateway failed to start: ${String(err)}`);
-		defaultRuntime.exit(1);
-	}
-}
-function addGatewayRunCommand(cmd) {
-	return cmd.option("--port <port>", "Port for the gateway WebSocket").option("--bind <mode>", "Bind mode (\"loopback\"|\"lan\"|\"tailnet\"|\"auto\"|\"custom\"). Defaults to config gateway.bind (or loopback).").option("--token <token>", "Shared token required in connect.params.auth.token (default: OPENCLAW_GATEWAY_TOKEN env if set)").option("--auth <mode>", `Gateway auth mode (${formatModeChoices(GATEWAY_AUTH_MODES)})`).option("--password <password>", "Password for auth mode=password").option("--tailscale <mode>", `Tailscale exposure mode (${formatModeChoices(GATEWAY_TAILSCALE_MODES)})`).option("--tailscale-reset-on-exit", "Reset Tailscale serve/funnel configuration on shutdown", false).option("--allow-unconfigured", "Allow gateway start without gateway.mode=local in config", false).option("--dev", "Create a dev config + workspace if missing (no BOOTSTRAP.md)", false).option("--reset", "Reset dev config + credentials + sessions + workspace (requires --dev)", false).option("--force", "Kill any existing listener on the target port before starting", false).option("--verbose", "Verbose logging to stdout/stderr", false).option("--claude-cli-logs", "Only show claude-cli logs in the console (includes stdout/stderr)", false).option("--ws-log <style>", "WebSocket log style (\"auto\"|\"full\"|\"compact\")", "auto").option("--compact", "Alias for \"--ws-log compact\"", false).option("--raw-stream", "Log raw model stream events to jsonl", false).option("--raw-stream-path <path>", "Raw stream jsonl path").action(async (opts, command) => {
-		await runGatewayCommand$1(resolveGatewayRunOptions(opts, command));
-	});
-}
-//#endregion
-//#region src/cli/gateway-cli/register.ts
-function runGatewayCommand(action, label) {
-	return runCommandWithRuntime(defaultRuntime, action, (err) => {
-		const message = String(err);
-		defaultRuntime.error(label ? `${label}: ${message}` : message);
-		defaultRuntime.exit(1);
-	});
-}
-function parseDaysOption(raw, fallback = 30) {
-	if (typeof raw === "number" && Number.isFinite(raw)) return Math.max(1, Math.floor(raw));
-	if (typeof raw === "string" && raw.trim() !== "") {
-		const parsed = Number(raw);
-		if (Number.isFinite(parsed)) return Math.max(1, Math.floor(parsed));
-	}
-	return fallback;
-}
-function resolveGatewayRpcOptions(opts, command) {
-	const parentToken = inheritOptionFromParent(command, "token");
-	const parentPassword = inheritOptionFromParent(command, "password");
-	return {
-		...opts,
-		token: opts.token ?? parentToken,
-		password: opts.password ?? parentPassword
-	};
-}
-function renderCostUsageSummary(summary, days, rich) {
-	const totalCost = formatUsd(summary.totals.totalCost) ?? "$0.00";
-	const totalTokens = formatTokenCount(summary.totals.totalTokens) ?? "0";
-	const lines = [colorize(rich, theme.heading, `Usage cost (${days} days)`), `${colorize(rich, theme.muted, "Total:")} ${totalCost} · ${totalTokens} tokens`];
-	if (summary.totals.missingCostEntries > 0) lines.push(`${colorize(rich, theme.muted, "Missing entries:")} ${summary.totals.missingCostEntries}`);
-	const latest = summary.daily.at(-1);
-	if (latest) {
-		const latestCost = formatUsd(latest.totalCost) ?? "$0.00";
-		const latestTokens = formatTokenCount(latest.totalTokens) ?? "0";
-		lines.push(`${colorize(rich, theme.muted, "Latest day:")} ${latest.date} · ${latestCost} · ${latestTokens} tokens`);
-	}
-	return lines;
-}
-function registerGatewayCli(program) {
-	const gateway = addGatewayRunCommand(program.command("gateway").description("Run, inspect, and query the WebSocket Gateway").addHelpText("after", () => `\n${theme.heading("Examples:")}\n${formatHelpExamples([
-		["openclaw gateway run", "Run the gateway in the foreground."],
-		["openclaw gateway status", "Show service status and probe reachability."],
-		["openclaw gateway discover", "Find local and wide-area gateway beacons."],
-		["openclaw gateway call health", "Call a gateway RPC method directly."]
-	])}\n\n${theme.muted("Docs:")} ${formatDocsLink("/cli/gateway", "docs.openclaw.ai/cli/gateway")}\n`));
-	addGatewayRunCommand(gateway.command("run").description("Run the WebSocket Gateway (foreground)"));
-	addGatewayServiceCommands(gateway, { statusDescription: "Show gateway service status + probe the Gateway" });
-	gatewayCallOpts(gateway.command("call").description("Call a Gateway method").argument("<method>", "Method name (health/status/system-presence/cron.*)").option("--params <json>", "JSON object string for params", "{}").action(async (method, opts, command) => {
-		await runGatewayCommand(async () => {
-			const rpcOpts = resolveGatewayRpcOptions(opts, command);
-			const result = await callGatewayCli(method, rpcOpts, JSON.parse(String(opts.params ?? "{}")));
-			if (rpcOpts.json) {
-				defaultRuntime.log(JSON.stringify(result, null, 2));
-				return;
-			}
-			const rich = isRich();
-			defaultRuntime.log(`${colorize(rich, theme.heading, "Gateway call")}: ${colorize(rich, theme.muted, String(method))}`);
-			defaultRuntime.log(JSON.stringify(result, null, 2));
-		}, "Gateway call failed");
-	}));
-	gatewayCallOpts(gateway.command("usage-cost").description("Fetch usage cost summary from session logs").option("--days <days>", "Number of days to include", "30").action(async (opts, command) => {
-		await runGatewayCommand(async () => {
-			const rpcOpts = resolveGatewayRpcOptions(opts, command);
-			const days = parseDaysOption(opts.days);
-			const result = await callGatewayCli("usage.cost", rpcOpts, { days });
-			if (rpcOpts.json) {
-				defaultRuntime.log(JSON.stringify(result, null, 2));
-				return;
-			}
-			const rich = isRich();
-			const summary = result;
-			for (const line of renderCostUsageSummary(summary, days, rich)) defaultRuntime.log(line);
-		}, "Gateway usage cost failed");
-	}));
-	gatewayCallOpts(gateway.command("health").description("Fetch Gateway health").action(async (opts, command) => {
-		await runGatewayCommand(async () => {
-			const rpcOpts = resolveGatewayRpcOptions(opts, command);
-			const result = await callGatewayCli("health", rpcOpts);
-			if (rpcOpts.json) {
-				defaultRuntime.log(JSON.stringify(result, null, 2));
-				return;
-			}
-			const rich = isRich();
-			const obj = result && typeof result === "object" ? result : {};
-			const durationMs = typeof obj.durationMs === "number" ? obj.durationMs : null;
-			defaultRuntime.log(colorize(rich, theme.heading, "Gateway Health"));
-			defaultRuntime.log(`${colorize(rich, theme.success, "OK")}${durationMs != null ? ` (${durationMs}ms)` : ""}`);
-			if (obj.channels && typeof obj.channels === "object") for (const line of formatHealthChannelLines(obj)) defaultRuntime.log(styleHealthChannelLine(line, rich));
-		});
-	}));
-	gateway.command("probe").description("Show gateway reachability + discovery + health + status summary (local + remote)").option("--url <url>", "Explicit Gateway WebSocket URL (still probes localhost)").option("--ssh <target>", "SSH target for remote gateway tunnel (user@host or user@host:port)").option("--ssh-identity <path>", "SSH identity file path").option("--ssh-auto", "Try to derive an SSH target from Bonjour discovery", false).option("--token <token>", "Gateway token (applies to all probes)").option("--password <password>", "Gateway password (applies to all probes)").option("--timeout <ms>", "Overall probe budget in ms", "3000").option("--json", "Output JSON", false).action(async (opts, command) => {
-		await runGatewayCommand(async () => {
-			await gatewayStatusCommand(resolveGatewayRpcOptions(opts, command), defaultRuntime);
-		});
-	});
-	gateway.command("discover").description("Discover gateways via Bonjour (local + wide-area if configured)").option("--timeout <ms>", "Per-command timeout in ms", "2000").option("--json", "Output JSON", false).action(async (opts) => {
-		await runGatewayCommand(async () => {
-			const wideAreaDomain = resolveWideAreaDiscoveryDomain({ configDomain: loadConfig().discovery?.wideArea?.domain });
-			const timeoutMs = parseDiscoverTimeoutMs(opts.timeout, 2e3);
-			const domains = ["local.", ...wideAreaDomain ? [wideAreaDomain] : []];
-			const deduped = dedupeBeacons(await withProgress({
-				label: "Scanning for gateways…",
-				indeterminate: true,
-				enabled: opts.json !== true,
-				delayMs: 0
-			}, async () => await discoverGatewayBeacons({
-				timeoutMs,
-				wideAreaDomain
-			}))).toSorted((a, b) => String(a.displayName || a.instanceName).localeCompare(String(b.displayName || b.instanceName)));
-			if (opts.json) {
-				const enriched = deduped.map((b) => {
-					const host = pickBeaconHost(b);
-					const port = pickGatewayPort(b);
-					return {
-						...b,
-						wsUrl: host ? `ws://${host}:${port}` : null
-					};
-				});
-				defaultRuntime.log(JSON.stringify({
-					timeoutMs,
-					domains,
-					count: enriched.length,
-					beacons: enriched
-				}, null, 2));
-				return;
-			}
-			const rich = isRich();
-			defaultRuntime.log(colorize(rich, theme.heading, "Gateway Discovery"));
-			defaultRuntime.log(colorize(rich, theme.muted, `Found ${deduped.length} gateway(s) · domains: ${domains.join(", ")}`));
-			if (deduped.length === 0) return;
-			for (const beacon of deduped) for (const line of renderBeaconLines(beacon, rich)) defaultRuntime.log(line);
-		}, "gateway discover failed");
-	});
-}
+//#region src/gateway/server.ts
+var server_exports = /* @__PURE__ */ __exportAll({
+	__resetModelCatalogCacheForTest: () => __resetModelCatalogCacheForTest,
+	startGatewayServer: () => startGatewayServer,
+	truncateCloseReason: () => truncateCloseReason
+});
 //#endregion
-export { registerGatewayCli };
+export { startGatewayServer as n, server_exports as t };